CVE-2023-27474

HIGH7.5EPSS 0.83%

directus vulnerable to HTML Injection in Password Reset email to custom Reset URL

Published: 3/7/2023Modified: 11/8/2023

Description

### Impact Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. ### Patches The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. ### Workarounds Disable the custom reset URL allow list.

Affected packages (1)

npm/directusfrom 0, < 9.23.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-27474
PATCHhttps://github.com/directus/directus
WEBhttps://github.com/directus/directus/issues/17119
WEBhttps://github.com/directus/directus/pull/17120
WEBhttps://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6