Every CVE whose affected-product data names Rangerstudio Directus, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (11)
CVE-2018-10723 — CVSS 9.8 (critical): Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql.
CVE-2021-26594 — CVSS 8.8 (high): In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end…
CVE-2021-29641 — CVSS 8.8 (high): Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to…
CVE-2022-24814 — CVSS 8.8 (high): Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can…
CVE-2023-27474 — CVSS 8.0 (high): Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are…
CVE-2021-26593 — CVSS 7.5 (high): In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. For each call, they get in response a…
CVE-2022-22117 — CVSS 5.4 (medium): In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which…
CVE-2022-22116 — CVSS 5.4 (medium): In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in…
CVE-2021-27583 — CVSS 5.3 (medium): In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. NOTE…
CVE-2021-26595 — CVSS 5.3 (medium): In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the…
CVE-2022-23080 — CVSS 5.0 (medium): In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality…