Back to search
CVE-2021-26593
Published: Feb 23, 2021
Modified: Aug 3, 2024
PUBLISHED
Description
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. For each call, they get in response a lot of information about the user (such as email address, first name, and last name) but also the secret for 2FA if one exists. This secret can be regenerated. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/sgranel/directusv8
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now