Hanneskuettner

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 11.1.2 **Description** The issue allows update access to unintended fields due to overlapping policies for the `update` action, potentially impacting the password field for user accounts. In affected versions, if there are two overlapping policies that allow access to different fields, the user is allowed to update the superset of fields allowed by any of the policies. For example, having one policy allowing update access to `field a` if the `id == 1` and one policy allowing update access to `field b` if the `id == 2`, the user with both policies can update both `field a` and `field b` for the items with ids `1` and `2`. The solution involves evaluating permissions for each field that the user tries to update in the validateItemAccess DB query, instead of only verifying access to the item as a whole. This is done by returning a flag that indicates if the user has access to that field, using the same case/when mechanism that is used for stripping out non-permitted fields. **Recommendations** To resolve the issue, upgrade to version 11.1.2 or later, as this version addresses the vulnerability and there are no known workarounds.