Apache · Apache Http Server · CVE-2021-29641
**Name of the Vulnerable Software and Affected Versions**
Directus 8 versions prior to 8.8.2
**Description**
The issue allows remote authenticated users to execute arbitrary code. This is possible because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. The exploitation is successful only for certain installations with the Apache HTTP Server and the local-storage driver.
**Recommendations**
For Directus 8 versions prior to 8.8.2, update to version 8.8.2 or later to resolve the issue. As a temporary workaround, consider restricting file upload permissions to prevent the upload of .php and .htaccess files.