CVE-2024-54128: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, was found to contain an HTML Injection vulnerability in its Comment feature (CVE-2024-54128). The vulnerability was discovered and disclosed on December 5, 2024, affecting versions 10.10.0 and later. The issue stems from a client-side filter implementation meant to prevent users from adding restricted characters such as HTML tags, which could be bypassed (GitHub Advisory).

The vulnerability exists due to the Comment feature implementing character filtering only on the client side, which can be circumvented by directly sending requests to the endpoint. An attacker can bypass the restrictions by sending a PATCH request to '/activity/comment/{id}' with HTML content in the comment field. The vulnerability has been assigned a CVSS v3.1 score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, indicating network vector attack with low complexity requiring low privileges and user interaction (GitHub Advisory).

The vulnerability's impact has been heightened due to the introduction of session cookies, as malicious scripts can now perform authenticated actions on behalf of the current user. This could lead to potential data exposure and unauthorized actions within the application (GitHub Advisory).

The vulnerability has been patched in versions 10.13.4 and 11.2.0. Users are advised to upgrade to these or later versions to address the security issue (NVD).