Unauthenticated Remote File Read Vulnerability in Directus 7 API

Unauthenticated Remote File Read Vulnerability in Directus 7 API

CVE-2019-13981 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

In Directus 7 API through 2.3.0, remote attackers can read image files via a direct request for a filename under the uploads/_/originals/ directory. This is related to a configuration option in which the file collection can be non-public, but this option does not apply to the thumbnailer.

Learn more about our Api Penetration Testing.