CyRC Vulnerability Advisory: Stored XSS in Directus
CVE-2022-24814 is a stored XSS vulnerability that can lead to account compromise in the admin application of Directus.
Overview
Synopsys Cybersecurity Research Center (CyRC) research has identified a stored cross-site scripting (XSS) vulnerability in Directus, a popular open source headless content management system (CMS) built in JavaScript. Directus App is a web-based admin application that allows users to view and manage content and collections.
The issue found in the Directus App is
- CVE-2022-24814: Stored XSS in file upload of Directus
Note: A similar issue was previously reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be bypassed.
Affected software
- Directus v9.6.0 and earlier
Impact
An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.
CVSS 3.1 base score: 5.4 (Medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C
Remediation
Upgrade to Directus v9.7.0 or later. See release notes for latest version available (https://github.com/directus/directus/releases)
Discovery credit
As the researcher who discovered the vulnerability, I would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely matter.
Timeline
- January 28, 2022: Initial disclosure
- March 7, 2022: Directus security team confirms the vulnerability and their intent to patch it
- March 18, 2022: Directus v9.7.0 is released with a fix for CVE-2022-24814
- April 11, 2022: Advisory published by Synopsys
Subscribe to the blog for the latest AppSec news
