CVE-2024-54151
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2024-54151 is a vulnerability affecting Directus, a real-time API and dashboard for managing SQL database content. In versions 11.0.0 and prior to 11.3.0, setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_Auth` to "public" allows unauthenticated users to execute any CRUD operations and subscriptions with full admin privileges. This issue impacts Directus instances with publicly accessible `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_Auth`, enabling unauthorized users to subscribe to changes on any collection and perform REST CRUD operations disregarding permissions. The vulnerability is resolved in version 11.3.0.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.