CVE-2024-28239

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.10.0

Description The authentication API has a redirect parameter that can be exploited as an open redirect vulnerability when a user tries to log in via the API URL. After a successful login via the Auth API GET request to /auth/login/google?redirect, the user can be redirected to a malicious site. Although credentials are not passed to the attacker site, the user can be phished into clicking a legitimate Directus site and be taken to a malicious site made to look like an error message, potentially leading to password phishing. Users who log in via OAuth2 into Directus may be at risk.

Recommendations For versions prior to 10.10.0, upgrade to version 10.10.0 to address the issue. As a temporary workaround, consider restricting access to the /auth/login/google?redirect API endpoint to minimize the risk of exploitation. Avoid using the redirect parameter in the affected API endpoint until the issue is resolved.