CVE-2024-27295

CVSS 3.1 Score 8.2 of 10 (high)

Details

Published Mar 1, 2024
CWE ID 706

Summary

CVE-2024-27295 is a vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content. The issue lies in the password reset mechanism of the Directus backend, which allows attackers to manipulate email addresses with accents to trick the system into sending password reset emails to their control. This vulnerability arises due to the default configuration of MySQL/MariaDB for accent-insensitive and case-insensitive comparisons. Directus has addressed this issue in version 10.8.3.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share