CVE-2024-34708

Name of the Vulnerable Software and Affected Versions Directus versions prior to 10.11.0

Description A user with permission to view any collection using redacted hashed fields can access the raw stored version using the alias functionality on the API. Normally, these redacted fields return **********, but by changing the request to ?alias[workaround]=redacted, it is possible to retrieve the plain text value for the field. This issue can be exploited by visiting specific API endpoints, such as /users/me and then /users/me?alias[hash]=password, to obtain the raw password hash instead of the redacted value.

Recommendations For versions prior to 10.11.0, remove permission to view sensitive fields entirely from users or roles that should not be able to see them. This can be done by adjusting the roles and permissions settings in the Directus dashboard to restrict access to sensitive information. As a temporary workaround, consider restricting access to the alias functionality on the API until the issue is resolved by updating to version 10.11.0 or later.