CVE-2021-26593

Name of the Vulnerable Software and Affected Versions Directus versions 8.x through 8.8.1

Description The issue allows an attacker to see all users in the CMS using the API endpoint "/users/{id}". For each call, they get in response a lot of information about the user, such as email address, first name, and last name, but also the secret for 2FA if one exists. This secret can be regenerated. The issue only affects products that are no longer supported by the maintainer.

Recommendations For versions 8.x through 8.8.1, as a temporary workaround, consider disabling the API endpoint "/users/{id}" until a patch is available. Restrict access to the user information to minimize the risk of exploitation. Avoid using the id variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.