CVE-2024-27295

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-27295
Directus is a real-time API and App dashboard for managing SQL database content. The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. This vulnerability is fixed in version 10.8.3.

8.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5
https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5
Configurations

No configuration.

History

21 Nov 2024, 09:04

Type Values Removed Values Added
References () https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5 - () https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5 -
Summary
  • (es) Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. El mecanismo de restablecimiento de contraseña del backend de Directus permite a los atacantes recibir un correo electrónico de restablecimiento de contraseña de un usuario víctima, específicamente hacer que llegue a una dirección de correo electrónico similar a la de la víctima con uno o más caracteres modificados para usar acentos. Esto se debe al hecho de que, de forma predeterminada, MySQL/MariaDB están configurados para comparaciones que no distinguen acentos ni mayúsculas y minúsculas. Esta vulnerabilidad se solucionó en la versión 10.8.3.

01 Mar 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-01 16:15

Updated : 2024-11-21 09:04

NVD link : CVE-2024-27295

Mitre link : CVE-2024-27295

CVE.ORG link : CVE-2024-27295

JSON object : View

Products Affected

No product.

CWE
CWE-706

Use of Incorrectly-Resolved Name or Reference


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024