Home > Vulnerability Database > CVE-2022-26969

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2022-26969

Good to know:

Date: December 25, 2022

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

Language: TYPE_SCRIPT

Severity Score

9.8

Related Resources (8)

Url: https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md

Url: https://github.com/directus/directus

Url: https://github.com/directus/directus/pull/12022

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-26969

Url: https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr

Url: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

Url: https://github.com/directus/directus/releases/tag/v9.7.0

Url: https://www.mend.io/vulnerability-database/CVE-2022-26969

Severity Score

9.8

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Permissive Cross-domain Security Policy with Untrusted Domains

CWE-942

Top Fix

Upgrade Version

Upgrade to version directus - 9.7.0

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Do you need more information?

Contact Us