CVE-2023-38503

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Published Jul 25, 2023

Updated: Aug 3, 2023

CWE ID 863

CWE ID 200

Summary

CVE-2023-38503 is a vulnerability affecting Directus, a real-time API and App dashboard for managing SQL database content, between versions 10.3.0 and 10.5.0. The issue lies in the improper checking of permission filters during GraphQL subscriptions, enabling unauthorized users to receive updates they should not have access to. This vulnerability can potentially expose sensitive information from the `directus_users` collection. Users on affected versions are advised to update to version 10.5.0 or disable GraphQL subscriptions as a workaround.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Monospace

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/sCS8o3
https://www.cve.org/CVERecord?id=CVE-2023-38503
https://nvd.nist.gov/vuln/detail/CVE-2023-38503

Back to Vulnerability Database

CVE-2023-38503

CVSS 3.1 Score 6.5 of 10 (medium)

Details

Summary

Affected Vendors

Advisories, Assessments, and Mitigations