9.8

CVE-2022-26969

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MonospaceDirectus Version < 9.7.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.91% 0.753
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-942 Permissive Cross-domain Policy with Untrusted Domains

The product uses a cross-domain policy file that includes domains that should not be trusted.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
Third Party Advisory
Technical Description