CVE-2024-28239 – directus

Package

Manager: npm
Name: directus
Vulnerable Version: >=0 <10.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00229 pctl0.45642

Details

URL Redirection to Untrusted Site in OAuth2/OpenID in directus ### Summary The authentication API has a `redirect` parameter that can be exploited as an open redirect vulnerability as the user tries to log in via the API URL https://docs.directus.io/reference/authentication.html#login-using-sso-providers /auth/login/google?redirect for example. ### Details There's a redirect that is done after successful login via the Auth API GET request to `directus/auth/login/google?redirect=http://malicious-fishing-site.com`, which I think is here: https://github.com/directus/directus/blob/main/api/src/auth/drivers/oauth2.ts#L394. While credentials don't seem to be passed to the attacker site, the user can be phished into clicking a legitimate directus site and be taken to a malicious site made to look like a an error message "Your password needs to be updated" to phish out the current password. ### PoC Turn on any auth provider in Directus instance. Form a link to `directus-instance/auth/login/:provider_id?redirect=http://malicious-fishing-site.com`, login and get taken to malicious-site. Tested on the `ory` OAuth2 integration. ### Impact Users who login via OAuth2 into Directus.

Metadata

Created: 2024-03-12T20:50:48Z
Modified: 2024-03-13T22:25:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-fr3w-2p22-6w7p/GHSA-fr3w-2p22-6w7p.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-fr3w-2p22-6w7p
Finding: F156
Auto approve: 1