CVE-2020-19850: 
JavaScript vulnerability analysis and mitigation

An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests. This vulnerability was discovered and disclosed in 2020 and has been assigned identifier CVE-2020-19850 (NIST, GitHub Issue).

The vulnerability is related to the application's inability to prevent replay attacks, where an attacker can send multiple identical HTTP requests. The issue stems from the lack of anti-automation mechanisms. Even with HTTPS encryption in place, the application cannot distinguish between legitimate requests and malicious identical requests, making it vulnerable to denial of service conditions. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NIST).

The primary impact of this vulnerability is the potential for denial of service conditions. A malicious user can send a large number of identical HTTP requests to overwhelm the server, potentially making the service unavailable to legitimate users. The vulnerability affects availability but does not impact confidentiality or integrity of the system (NIST).

It is recommended to implement anti-automation mechanisms such as CAPTCHA to prevent replay attacks. Additionally, upgrading to a version newer than Directus API v.2.2.0 is advised (GitHub Issue).