Stanislas Granel

**Name of the Vulnerable Software and Affected Versions** Directus versions 8.x through 8.8.1 **Description** The issue allows an attacker to see all users in the CMS using the API endpoint "/users/{id}". For each call, they get in response a lot of information about the user, such as email address, first name, and last name, but also the secret for 2FA if one exists. This secret can be regenerated. The issue only affects products that are no longer supported by the maintainer. **Recommendations** For versions 8.x through 8.8.1, as a temporary workaround, consider disabling the API endpoint "/users/{id}" until a patch is available. Restrict access to the user information to minimize the risk of exploitation. Avoid using the `id` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Directus versions 8.x through 8.8.1 **Description** An issue exists where an attacker can switch to the administrator role without any control by the back end, using the PATCH method. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For versions 8.x through 8.8.1, as a temporary workaround, consider restricting access to the PATCH method until a solution is available. However, since these versions are no longer supported, the primary recommendation is to upgrade to a supported version if possible. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Directus versions 8.x through 8.8.1 **Description** An attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by viewing the result of the "api-aa" endpoint, which is called automatically upon a connection. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For versions 8.x through 8.8.1, consider disabling the "api-aa" endpoint to prevent information disclosure until a patch is available, however, since these versions are no longer supported, updating to a supported version is recommended if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Directus versions 8.x through 8.8.1 **Description** An attacker can discover whether a user is present in the database through the password reset feature. This issue only affects products that are no longer supported by the maintainer. **Recommendations** For versions 8.x through 8.8.1, as a temporary workaround, consider disabling the password reset feature until a patch is available. However, since these versions are no longer supported, it is recommended to upgrade to a supported version if possible. At the moment, there is no information about a newer version that contains a fix for this vulnerability.