Votr123

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 2.4.3 **Description** Budibase is a low code platform for creating internal tools, workflows, and admin panels. The issue can lead to an attacker gaining access to a Budibase AWS secret key due to Server-Side Request Forgery. Self-host users who run Budibase on the public internet and are using a cloud provider that allows HTTP access to metadata information should ensure that when they deploy Budibase live, their internal metadata endpoint is not exposed. **Recommendations** For versions prior to 2.4.3, update to version 2.4.3 or later to resolve the issue. As a temporary workaround, self-host users should ensure their internal metadata endpoint is not exposed when deploying Budibase live.

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 9.23.0 **Description** Directus is a real-time API and App dashboard for managing SQL database content. It is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server via a POST request to the `/files/import` API endpoint. An attacker can bypass security controls by performing a DNS rebinding attack, allowing them to view sensitive data from internal servers or perform a local port scan. This can be exploited to access highly sensitive internal servers and steal sensitive information. **Recommendations** For versions prior to 9.23.0, update to version 9.23.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/files/import` API endpoint until the update is applied. Additionally, restricting the ability to import files from remote web servers can help minimize the risk of exploitation.