R4Bbit-R4

**Name of the Vulnerable Software and Affected Versions** Directus versions 10.8.0 through 11.9.2 **Description** A flaw in the file update mechanism of the Directus API allows an unauthenticated actor to modify existing files with arbitrary content or upload new files with arbitrary content and extensions. These changes occur silently, as they do not affect the database-resident metadata, and newly uploaded files do not appear in the Directus user interface. The issue is located in the `/files` endpoint, specifically involving the `pk` parameter used to identify files via UUIDs. In the local storage handler, the `write()` and `fullpath()` functions fail to properly sanitize the `filename disk` value, allowing attackers to bypass the `temp ` prefix and place arbitrarily named files in the upload folder. This can lead to Remote Code Execution (RCE) if the server serves files directly from the upload directory, enabling the upload of webshells (e.g., `.php` files). Other risks include the creation of phishing sites using SVGs or the poisoning of hosted documents. It is estimated that between 10,600 and 177,700 instances may be exposed worldwide. **Recommendations** Update to version 11.9.3. As a temporary mitigation, restrict access to the `/files` endpoint or implement a Web Application Firewall (WAF) to block suspicious upload requests and executable file extensions such as `.php`, `.jsp`, `.asp`, and `.exe`.