Direct Request ('Forced Browsing')

CVE-2019-13981

Medium

5.3/10

Summary

In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-425 - Direct Request ('Forced Browsing')

The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.

References

Advisory Timeline

Published Jul 19, 2019

Direct Request ('Forced Browsing')

CVE-2019-13981

Summary

CWE-425 - Direct Request ('Forced Browsing')

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS