CVE-2024-54128

medium

Description

Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.

References

https://github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2f

Details

Source: Mitre, NVD

Published: 2024-12-05

Updated: 2025-11-19

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 4.6

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N