How severe is CVE-2024-34708?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.9 out of 10.

What type of vulnerability is CVE-2024-34708?

This is classified as CWE-200, which is a common weakness in software security.

CVE-2024-34708 - MEDIUM Severity | CVSS 4.9

Vulnerability Description

Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will return `**********` however if we change the request to `?alias[workaround]=redacted` we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them. This vulnerability is fixed in 10.11.0.

Related Vulnerabilities

CVE-2012-4382

MEDIUM

CVSS:4.9(Medium)

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt.

CWE-2002012

CVE-2013-0192

MEDIUM

CVSS:4.9(Medium)

File Disclosure in SMF (SimpleMachines Forum) <= 2.0.3: Forum admin can read files such as the database config.

CWE-2002013

CVE-2015-3251

MEDIUM

CVSS:4.9(Medium)

Apache CloudStack before 4.5.2 might allow remote authenticated administrators to obtain sensitive password information for root accounts of virtual machines via unspecified vectors related to API cal...

CWE-2002015

CVE-2016-0225

MEDIUM

CVSS:4.9(Medium)

IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.9 allows remote authenticated Commerce Accelerator administrators to obtain sensitive information via unspecified vectors.

CWE-2002016

CVE-2016-10740

MEDIUM

CVSS:4.9(Medium)

Various resources in Atlassian Crowd before version 2.10.1 allow remote attackers with administration rights to learn the passwords of configured LDAP directories by examining the responses to request...

CWE-2002016

CVE-2016-1497

MEDIUM

CVSS:4.9(Medium)

The Configuration utility in F5 BIG-IP systems 11.0.x, 11.1.x, 11.2.x before 11.2.1 HF16, 11.3.x, 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4 HF2, 1.6.x before 11.6.1, and 12.0.0 before HF1 allows...

CWE-2002016