QwikSec

Security Database

CVE

CWE

Training

CVE-2025-24353

Published: Jan 23, 2025

Modified: Feb 12, 2025

PUBLISHED

CVSS v3.1

5.0

MEDIUM

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles. Version 11.2.0 contains a patch the issue.

Vendor	Product	Versions
directus	directus	affected `< 11.2.0`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

References

https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg

x_refsource_CONFIRM

https://github.com/directus/directus/pull/23716

x_refsource_MISC

https://github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804

x_refsource_MISC

https://github.com/directus/directus/releases/tag/v11.2.0

x_refsource_MISC

https://www.youtube.com/watch?v=DbV4IxbWzN4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.