GHSA-4hmq-ggrm-qfc6

Suggest an improvement
Source
https://github.com/advisories/GHSA-4hmq-ggrm-qfc6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-4hmq-ggrm-qfc6/GHSA-4hmq-ggrm-qfc6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4hmq-ggrm-qfc6
Aliases
Published
2023-03-07T20:35:54Z
Modified
2023-11-01T05:01:34.932520Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
directus vulnerable to HTML Injection in Password Reset email to custom Reset URL
Details

Impact

Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL.

Patches

The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list.

Workarounds

Disable the custom reset URL allow list.

Database specific 
{
    "nvd_published_at": "2023-03-06T17:15:00Z",
    "github_reviewed_at": "2023-03-07T20:35:54Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "severity": "HIGH"
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.23.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-4hmq-ggrm-qfc6/GHSA-4hmq-ggrm-qfc6.json"