CVE-2024-27295

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.8.3

Description The password reset mechanism of the Directus backend allows attackers to receive a password reset email of a victim user, specifically having it arrive at a similar email address as the victim with a one or more characters changed to use accents. This is due to the fact that by default MySQL/MariaDB are configured for accent-insensitive and case-insensitive comparisons. The issue arises from the API using the supplied email address for sending the reset password mail instead of using the email from the database. An attacker can exploit this by registering an off-by-one accented domain and requesting a password reset for the accented email address, allowing them to receive the password reset link and potentially log into the target account.

Recommendations For versions prior to 10.8.3, update to version 10.8.3 or later to resolve the issue. As a temporary workaround, consider configuring MySQL/MariaDB to use a collation that is accent-sensitive and case-sensitive, such as utf8mb4 0900 ai ci, to prevent accent-insensitive comparisons. Additionally, restrict access to the password reset mechanism to minimize the risk of exploitation.