CVE-2024-28238

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.10.0

Description The issue concerns the inclusion of session tokens in URLs, specifically when reaching the "/files" page, where a JWT is passed via GET request. This poses a security risk as URLs are often logged in various places, such as web server logs and browser history. Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.

Recommendations For versions prior to 10.10.0, upgrade to version 10.10.0 to address the issue. As a temporary workaround, consider restricting access to the "/files" page until the upgrade is applied. Avoid using the JWT token in the GET request to the "/files" page until the issue is resolved.