Vulnerabilities > Rangerstudio

DATE CVE VULNERABILITY TITLE RISK
2023-03-06 CVE-2023-27474 Cross-site Scripting vulnerability in Rangerstudio Directus
Directus is a real-time API and App dashboard for managing SQL database content.
network
low complexity
rangerstudio CWE-79
5.4
2022-06-22 CVE-2022-23080 Server-Side Request Forgery (SSRF) vulnerability in Rangerstudio Directus
In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans.
network
low complexity
rangerstudio CWE-918
5.0
2022-04-04 CVE-2022-24814 Cross-site Scripting vulnerability in Rangerstudio Directus
Directus is a real-time API and App dashboard for managing SQL database content.
network
low complexity
rangerstudio CWE-79
6.1
2022-01-10 CVE-2022-22116 Cross-site Scripting vulnerability in Rangerstudio Directus
In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality.
network
low complexity
rangerstudio CWE-79
5.4
2022-01-10 CVE-2022-22117 Cross-site Scripting vulnerability in Rangerstudio Directus
In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability.
network
low complexity
rangerstudio CWE-79
5.4
2021-04-07 CVE-2021-29641 Unrestricted Upload of File with Dangerous Type vulnerability in Rangerstudio Directus
Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory.
network
low complexity
rangerstudio CWE-434
8.8
2021-02-23 CVE-2021-27583 Information Exposure Through Discrepancy vulnerability in Rangerstudio Directus
In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature.
network
low complexity
rangerstudio CWE-203
5.3
2021-02-23 CVE-2021-26595 Cleartext Storage of Sensitive Information vulnerability in Rangerstudio Directus
In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection.
network
low complexity
rangerstudio CWE-312
5.3
2021-02-23 CVE-2021-26594 Improper Privilege Management vulnerability in Rangerstudio Directus
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end.
network
low complexity
rangerstudio CWE-269
8.8
2021-02-23 CVE-2021-26593 Information Exposure vulnerability in Rangerstudio Directus
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}.
network
low complexity
rangerstudio CWE-200
7.5