CVE-2023-27474 HIGH

CVE-2023-27474: HTML Injection in Password Reset email to custom Reset URL in directus

Vendor Directus
Product directus
Weakness CWE-79 · XSS
Published March 6, 2023
Last update February 25, 2025
View on NVD All CVEs

CVSS base score

8.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Directus is a real-time API and App dashboard for managing SQL database content. Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. An attacker could exploit this to email users urls to the servers domain but which may contain malicious code. The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. Users are advised to upgrade. Users unable to upgrade may disable the custom reset URL allow list as a workaround.

Key dates

02Disclosure timeline

March 6, 2023 CVE published
February 25, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-35737 WordPress WP Visitors Tracker plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-41662 WordPress WP-dTree Plugin <= 4.4.5 is vulnerable to Cross Site Scripting (XSS) CVE-2026-6255 Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute CVE-2023-41235 WordPress Everest News Pro Theme <= 1.1.7 is vulnerable to Cross Site Scripting (XSS) CVE-2023-1286 Cross-site Scripting (XSS) - Stored in pimcore/pimcore