Publish GHSA-r6wx-627v-gh2f

Author: advisory-database[bot]

advisories/github-reviewed/2024/12/GHSA-r6wx-627v-gh2f/GHSA-r6wx-627v-gh2f.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r6wx-627v-gh2f",
-  "modified": "2024-12-05T22:37:33Z",
+  "modified": "2025-11-19T17:50:43Z",
   "published": "2024-12-05T22:37:32Z",
   "aliases": [
     "CVE-2024-54128"
   ],
   "summary": "Directus has an HTML Injection in Comment",
-  "details": "### Summary\nThe Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.\n\n### Details\nThe Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.\n\nExample Request:\n\n```\nPATCH /activity/comment/3 HTTP/2\nHost: directus.local\n\n{\n  \"comment\": \"<h1>TEST <p style=\\\"color:red\\\">HTML INJECTION</p> <a href=\\\"//evil.com\\\">Test Link</a></h1>\"\n}\n```\n\nExample Response:\n\n```json\n{\n  \"data\": {\n    \"id\": 3,\n    \"action\": \"comment\",\n    \"user\": \"288fdccc-399a-40a1-ac63-811bf62e6a18\",\n    \"timestamp\": \"2023-09-06T02:23:40.740Z\",\n    \"ip\": \"10.42.0.1\",\n    \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\n    \"collection\": \"directus_files\",\n    \"item\": \"7247dda1-c386-4e7a-8121-7e9c1a42c15a\",\n    \"comment\": \"<h1>TEST <p style=\\\"color:red\\\">HTML INJECTION</p> <a href=\\\"//evil.com\\\">Test Link</a></h1>\",\n    \"origin\": \"https://directus.local\",\n    \"revisions\": []\n  }\n}\n```\n\nExample Result:\n\n![Screenshot 2023-09-06 094536](https://user-images.githubusercontent.com/61263002/265876100-12e068fe-3d53-41b4-bfcb-458c2bc2a638.png)\n\n## Impact\n\nWith the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.\n",
+  "details": "### Summary\nThe Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.\n\n### Details\nThe Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.\n\nExample Request:\n\n```\nPATCH /activity/comment/3 HTTP/2\nHost: directus.local\n\n{\n  \"comment\": \"<h1>TEST <p style=\\\"color:red\\\">HTML INJECTION</p> <a href=\\\"//evil.com\\\">Test Link</a></h1>\"\n}\n```\n\nExample Response:\n\n```json\n{\n  \"data\": {\n    \"id\": 3,\n    \"action\": \"comment\",\n    \"user\": \"288fdccc-399a-40a1-ac63-811bf62e6a18\",\n    \"timestamp\": \"2023-09-06T02:23:40.740Z\",\n    \"ip\": \"10.42.0.1\",\n    \"user_agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\n    \"collection\": \"directus_files\",\n    \"item\": \"7247dda1-c386-4e7a-8121-7e9c1a42c15a\",\n    \"comment\": \"<h1>TEST <p style=\\\"color:red\\\">HTML INJECTION</p> <a href=\\\"//evil.com\\\">Test Link</a></h1>\",\n    \"origin\": \"https://directus.local\",\n    \"revisions\": []\n  }\n}\n```\n\nExample Result:\n\n![Screenshot 2023-09-06 094536](https://user-images.githubusercontent.com/61263002/265876100-12e068fe-3d53-41b4-bfcb-458c2bc2a638.png)\n\n## Impact\n\nWith the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.",
   "severity": [
     {
       "type": "CVSS_V3",