Synopsys CyRC researchers say they have discovered a stored-cross-site scripting (XSS) vulnerability in Directus.
The vulnerability could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.
The issue found in the Directus App is
- CVE-2022-24814: Stored XSS in file upload of Directus
A similar issue was previously reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be bypassed.
Affected software
- Directus v9.6.0 and earlier
Impact
An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.
CVSS 3.1 base score: 5.4 (Medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C
Remediation
Upgrade to Directus v9.7.0 or later. See release notes for latest version available (https://github.com/directus/directus/releases)
Discovery credit
David Johansson, a researcher from the Synopsys Cybersecurity Research Center, discovered this vulnerability.
Timeline
- January 28, 2022: Initial disclosure
- March 7, 2022: Directus security team confirms the vulnerability and intent to patch it
- March 18, 2022: Directus v3.7.0 is released with a fix for CVE-2022-24814
- April 6, 2022: Advisory published by Synopsys
