Main Vulnerability Database Vulnerabilities #VU127090

Cross-site scripting in Directus - CVE-2023-27474

Published: March 6, 2023 / Updated: April 23, 2026

Vulnerability identifier: #VU127090

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2023-27474

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Directus

Software vendor:
Directus

Description

The vulnerability allows a remote attacker to inject HTML content into password reset emails.

The vulnerability exists due to improper neutralization of input during web page generation in the password reset email handling for custom reset URLs when processing query parameters in the reset URL. A remote attacker can supply a specially crafted reset URL with malicious query parameters to inject HTML content into password reset emails.

Only instances relying on an allow-listed custom reset URL are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6

Cross-site scripting in Directus - CVE-2023-27474

Description

Remediation

External links

Please verify you're human