CVE-2023-27474 — directus vulnerable to HTML Injection in Password Reset email to custom Reset UR

Description

### Impact Instances relying on an allow-listed reset URL are vulnerable to an HTML injection attack through the use of query parameters in the reset URL. ### Patches The problem has been resolved and released under version 9.23.0. People relying on a custom password reset URL should upgrade to 9.23.0 or later, or remove the custom reset url from the configured allow list. ### Workarounds Disable the custom reset URL allow list.

How to fix CVE-2023-27474

To remediate CVE-2023-27474, upgrade the affected package to a fixed version below.

—upgrade to 9.23.0 or later

Is CVE-2023-27474 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 9.23.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-27474
PATCHgithub.com/directus/directus
WEBgithub.com/directus/directus/issues/17119
WEBgithub.com/directus/directus/pull/17120
WEB