Home > Vulnerability Database > CVE-2024-28238

Mend.io Vulnerability Database

CVE-2024-28238

Good to know:

Date: March 12, 2024

Directus is a real-time API and App dashboard for managing SQL database content. When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user. This issue has been addressed in version 10.10.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: TYPE_SCRIPT

Severity Score

2.3

Related Resources (3)

Url: https://github.com/directus/directus/security/advisories/GHSA-2ccr-g2rv-h677

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28238

Url: https://www.mend.io/vulnerability-database/CVE-2024-28238

Severity Score

2.3

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Use of GET Request Method With Sensitive Query Strings

CWE-598

Top Fix

Upgrade Version

Upgrade to version directus - 10.10.0

Learn More

CVSS v3.1

Base Score:	2.3
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28238

Good to know:

Date: March 12, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?