Main Vulnerability Database Vulnerabilities #VU127109

#VU127109 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Directus - CVE-2024-54128

Published: December 5, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127109

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-54128

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Directus

Software vendor:
Directus

Description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper neutralization of script-related html tags in the comment feature when handling comment update requests. A remote user can send a specially crafted request to disclose sensitive information.

User interaction is required to view the injected content, and the issue can enable authenticated actions in the current user's session context.

Remediation

Install security update from vendor's website.

External links

https://github.com/directus/directus/security/advisories/GHSA-r6wx-627v-gh2f

#VU127109 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Directus - CVE-2024-54128

Description

Remediation

External links

Please verify you're human