CVE-2024-54128: Directus has an HTML Injection in Comment

5.7 CVSS

Description

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

Classification

CVE ID: CVE-2024-54128

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.7

Affected Products

Vendor: directus

Product: directus

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.44% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2f

Timeline

2024-12-06 00:32:16 UTC
CVE

Directus has an HTML Injection in Comment