Directus Users: Upgrade Now to Patch Critical HTML Injection Vulnerability

CVECVE-2023-27474
CVSScvssV3_1: 8
SourceCVE-2023-27474

Directus, an open source API and dashboard tool for managing SQL databases, had a vulnerability that allowed hackers to conduct HTML injection attacks.

HTML injection occurs when malicious code is inserted into an HTML page. This can be used by attackers to redirect users to fake pages designed to steal login credentials or other private information.

The vulnerability was in Directus’ custom password reset functionality. If a server had a custom reset URL configured, hackers could append malicious code to the URL parameters to execute on users’ browsers when they visited the reset link.

Thankfully, Directus developers were quickly notified and released version 9.23.0 to address the issue. However, all Directus users still relying on a custom reset URL are urged to upgrade immediately.

If for any reason upgrading is not possible, users should remove the custom reset URL from their server’s configuration as a temporary workaround, to block exploits of this vulnerability.

It’s always best practice to keep software updated to the latest versions to protect against newly discovered security flaws. Directus users can stay safe by upgrading to the fixed version without delay.

References