Ccamm

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 9.23.0 **Description** Directus is a real-time API and App dashboard for managing SQL database content. It is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server via a POST request to the `/files/import` API endpoint. An attacker can bypass security controls by performing a DNS rebinding attack, allowing them to view sensitive data from internal servers or perform a local port scan. This can be exploited to access highly sensitive internal servers and steal sensitive information. **Recommendations** For versions prior to 9.23.0, update to version 9.23.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/files/import` API endpoint until the update is applied. Additionally, restricting the ability to import files from remote web servers can help minimize the risk of exploitation.