CVE-2022-24814 – directus

Package

Manager: npm
Name: directus
Vulnerable Version: >=0 <9.7.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00408 pctl0.60367

Details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus ### Impact Unauthorized JavaScript can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. ### Patches This was resolved in https://github.com/directus/directus/pull/12020 which is released in 9.7.0 ### Workarounds You can disable the live embed in the WYSIWYG by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface. ### References https://github.com/directus/directus/pull/12020 ### For more information If you have any questions or comments about this advisory: * Open an issue in [directus/directus](https://github.com/directus/directus) * Email us at [security@directus.io](mailto:security@directus.io)

Metadata

Created: 2022-04-05T18:30:15Z
Modified: 2022-04-05T18:30:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-xmjj-3c76-5w84/GHSA-xmjj-3c76-5w84.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-xmjj-3c76-5w84
Finding: F425
Auto approve: 1