Directus Open Redirect Vulnerability in Admin Two-Factor Authentication Setup Page
Vulnerability
An open redirect vulnerability has been identified in Directus versions prior to 11.16.1. This issue occurs on the admin two-factor authentication (2FA) setup page, where the redirect query parameter is not properly validated. When an administrator who has not yet configured 2FA clicks on a crafted URL, they are directed to the legitimate Directus 2FA setup page. After completing the setup, the application redirects them to an attacker-controlled URL specified in the redirect parameter. This vulnerability could be exploited in phishing attacks against Directus administrators, as the initial interaction takes place on a trusted domain.
Impact
Exploitation of this vulnerability could lead to open redirect, allowing for phishing attacks targeting Directus administrators.
Remediation
Users can upgrade to Directus version 11.16.1 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.