Advisory CyRC Vulnerability: XSS Stored in Directus


CVE-2022-24814 is a stock XSS vulnerability that can lead to account compromise in the Directus admin application.


Research from Synopsys’ Cybersecurity Research Center (CyRC) has identified a cross-site stored scripting (XSS) vulnerability in Directus, a popular open-source headless content management system (CMS) built in JavaScript. Directus App is a web-based administration application that allows users to view and manage content and collections.

Cybersecurity Live - Boston

The issue found in the Directus app is

  • CVE-2022-24814: XSS stored in Directus file upload

Note: A similar issue has already been reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be worked around.

Affected Software

  • Directus v9.6.0 and earlier


An authenticated user with access to Directus can abuse the file upload feature to create a stored XSS attack that is automatically executed when other users view certain collections or files in Directus. In the worst case, this could lead to the compromise of an administrator account and give the attacker full access to all Directus data and settings.

CVSS 3.1 Base Score: 5.4 (Average)
Vector CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC: VS


Upgrade to Directus v9.7.0 or later. See the release notes for the latest available version (

Discovery credit

As the researcher who discovered the vulnerability, I would like to commend the Directus team for their responsiveness and for resolving this vulnerability in a timely manner.


  • January 28, 2022: Initial disclosure
  • March 7, 2022: Directus Security Team Confirms Vulnerability and Intent to Fix
  • March 18, 2022: Directus v9.7.0 is released with a fix for CVE-2022-24814
  • April 11, 2022: Notice published by Synopsys
Subscribe to the blog for the latest AppSec news

Subscribe today


About Author

Comments are closed.