CVE-2022-24814 is a stored XSS vulnerability that can lead to account compromise in the admin application of Directus.
The issue found in the Directus App is
Note: A similar issue was previously reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be bypassed.
An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.
CVSS 3.1 base score: 5.4 (Medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C
Upgrade to Directus v9.7.0 or later. See release notes for latest version available (https://github.com/directus/directus/releases)
As the researcher who discovered the vulnerability, I would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely matter.
David Johansson is a principal consultant at Synopsys. He has fifteen years of experience in software security and has worked as a consultant for several leading IT security companies. David's expertise is in software development and architecture, web security testing, and training developers and testers in security.