Severity
Medium
Analysis Summary
CVE-2024-27295 CVSS:8.2
Node.js Directus package could provide weaker than expected security, caused by accent insensitive email matching resulting in a weak password recovery mechanism. A remote attacker could exploit this vulnerability to launch further attacks on the system.
CVE-2024-27296 CVSS:5.3
Node.js Directus package could allow a remote attacker to obtain sensitive information, caused by the insertion of the version number in the in compiled JS bundles. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVE-2024-27298 CVSS:6.5
Node.js parse-server package is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database.
Impact
- Information Gain
- Data Manipulation
Indicators Of Compromise
CVE
- CVE-2024-27295
- CVE-2024-27296
- CVE-2024-27298
Affected Vendors
Node.js
Affected Products
- Directus Directus 10.8.2
- Node.js parse-server 6.4.0
- Node.js parse-server 5.6.0
- Node.js parse-server 6.3.1
- Node.js parse-server 5.5.6
Remediation
Refer to GIT Repository for patch, upgrade or suggested workaround information.