CVE-2024-28238: Session Token in URL in directus

March 12, 2024 (updated March 13, 2024)

Impact

When reaching the /files page, a JWT is passed via GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places (e.g., web server logs, browser history). Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

There’s no workaround available.

References

Are there any links users can visit to find out more?

References

github.com/advisories/GHSA-2ccr-g2rv-h677
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-2ccr-g2rv-h677
nvd.nist.gov/vuln/detail/CVE-2024-28238

Code Behaviors & Features

Detect and mitigate CVE-2024-28238 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →