Information disclosure in Directus - CVE-2024-34708
Published: May 13, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127100
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-34708
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Directus
Directus
Software vendor:
Directus
Directus
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the API alias functionality when handling alias parameters for redacted hashed fields. A remote privileged user can send a crafted request using the alias parameter to disclose sensitive information.
The issue allows retrieval of the raw stored value of fields that would normally be returned in redacted form.
Remediation
Install security update from vendor's website.