CVE-2021-29641

Name of the Vulnerable Software and Affected Versions Directus 8 versions prior to 8.8.2

Description The issue allows remote authenticated users to execute arbitrary code. This is possible because file-upload permissions include the ability to upload a .php file to the main upload directory and/or upload a .php file and a .htaccess file to a subdirectory. The exploitation is successful only for certain installations with the Apache HTTP Server and the local-storage driver.

Recommendations For Directus 8 versions prior to 8.8.2, update to version 8.8.2 or later to resolve the issue. As a temporary workaround, consider restricting file upload permissions to prevent the upload of .php and .htaccess files.