Vulnerabilities > Rangerstudio
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-06 | CVE-2023-27474 | Cross-site Scripting vulnerability in Rangerstudio Directus Directus is a real-time API and App dashboard for managing SQL database content. | 5.4 |
| 2022-06-22 | CVE-2022-23080 | Server-Side Request Forgery (SSRF) vulnerability in Rangerstudio Directus In directus versions v9.0.0-beta.2 through 9.6.0 are vulnerable to server-side request forgery (SSRF) in the media upload functionality which allows a low privileged user to perform internal network port scans. | 5.0 |
| 2022-04-04 | CVE-2022-24814 | Cross-site Scripting vulnerability in Rangerstudio Directus Directus is a real-time API and App dashboard for managing SQL database content. | 4.3 |
| 2022-01-10 | CVE-2022-22116 | Cross-site Scripting vulnerability in Rangerstudio Directus In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. | 3.5 |
| 2022-01-10 | CVE-2022-22117 | Cross-site Scripting vulnerability in Rangerstudio Directus In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. | 3.5 |
| 2021-04-07 | CVE-2021-29641 | Unrestricted Upload of File with Dangerous Type vulnerability in Rangerstudio Directus Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. | 6.5 |
| 2021-02-23 | CVE-2021-27583 | Information Exposure Through Discrepancy vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can discover whether a user is present in the database through the password reset feature. | 5.3 |
| 2021-02-23 | CVE-2021-26595 | Cleartext Storage of Sensitive Information vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by view the result of the api-aa, called automatically upon a connection. | 5.3 |
| 2021-02-23 | CVE-2021-26594 | Improper Privilege Management vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any control by the back end. | 8.8 |
| 2021-02-23 | CVE-2021-26593 | Information Exposure vulnerability in Rangerstudio Directus In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. | 7.5 |