Directus Cross-Origin Opener Policy Vulnerability in Single Sign-On Login Pages

A vulnerability exists in Directus Single Sign-On (SSO) login pages prior to version 11.17.0, where the Cross-Origin-Opener-Policy (COOP) HTTP response header was missing. This absence allowed a malicious cross-origin window to access and manipulate the window object of the Directus login page. An attacker could exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, potentially leading to unauthorized access to the victim's authentication provider account, such as Google or Discord. This vulnerability has been addressed in Directus version 11.17.0.

Impact

Exploitation of this vulnerability could allow an attacker to obtain an OAuth access token for the victim's third-party identity provider account. Depending on the authorized scopes, this could result in unauthorized access to the victim's linked identity provider account or account takeover of the Directus instance if the attacker can authenticate using the stolen credentials or provider session.

Remediation

Users can upgrade to Directus version 11.17.0 or later to address this vulnerability. Alternatively, those unable to upgrade immediately can configure their reverse proxy or web server to add the 'Cross-Origin-Opener-Policy: same-origin' HTTP response header to all Directus responses.