CVE-2021-26595

Name of the Vulnerable Software and Affected Versions Directus versions 8.x through 8.8.1

Description An attacker can learn sensitive information such as the version of the CMS, the PHP version used by the site, and the name of the DBMS, simply by viewing the result of the "api-aa" endpoint, which is called automatically upon a connection. This issue only affects products that are no longer supported by the maintainer.

Recommendations For versions 8.x through 8.8.1, consider disabling the "api-aa" endpoint to prevent information disclosure until a patch is available, however, since these versions are no longer supported, updating to a supported version is recommended if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.