CVE-2019-13981

Name of the Vulnerable Software and Affected Versions Directus versions 7 through 2.3.0

Description The issue allows remote attackers to read image files by making a direct request for a filename under the uploads/ /originals/ directory. This is related to a configuration option where the file collection can be non-public, but this option does not apply to the thumbnailer.

Recommendations For versions 7 through 2.3.0, consider restricting access to the uploads/ /originals/ directory to minimize the risk of exploitation. As a temporary workaround, review and adjust the configuration option related to the file collection to ensure it applies appropriately, including considerations for the thumbnailer.