CVE-2022-24814 is a stock XSS vulnerability that can lead to account compromise in the Directus admin application.
Insight
Research from Synopsys’ Cybersecurity Research Center (CyRC) has identified a cross-site stored scripting (XSS) vulnerability in Directus, a popular open-source headless content management system (CMS) built in JavaScript. Directus App is a web-based administration application that allows users to view and manage content and collections.
The issue found in the Directus app is
- CVE-2022-24814: XSS stored in Directus file upload
Note: A similar issue has already been reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be worked around.
Affected Software
- Directus v9.6.0 and earlier
Impact
An authenticated user with access to Directus can abuse the file upload feature to create a stored XSS attack that is automatically executed when other users view certain collections or files in Directus. In the worst case, this could lead to the compromise of an administrator account and give the attacker full access to all Directus data and settings.
CVSS 3.1 Base Score: 5.4 (Average)
Vector CVSS 3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC: VS
Remediation
Upgrade to Directus v9.7.0 or later. See the release notes for the latest available version (https://github.com/directus/directus/releases)
Discovery credit
As the researcher who discovered the vulnerability, I would like to commend the Directus team for their responsiveness and for resolving this vulnerability in a timely manner.
Chronology
- January 28, 2022: Initial disclosure
- March 7, 2022: Directus Security Team Confirms Vulnerability and Intent to Fix
- March 18, 2022: Directus v9.7.0 is released with a fix for CVE-2022-24814
- April 11, 2022: Notice published by Synopsys
Subscribe to the blog for the latest AppSec news
