CyRC Vulnerability Advisory: Stored XSS in Directus

Overview

Black Duck Cybersecurity Research Center (CyRC) research has identified a stored cross-site scripting (XSS) vulnerability in Directus, a popular open source headless content management system (CMS) built in JavaScript. Directus App is a web-based admin application that allows users to view and manage content and collections.

The issue found in the Directus App is

• CVE-2022-24814: Stored XSS in file upload of Directus

Note: A similar issue was previously reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be bypassed.

Affected software

• Directus v9.6.0 and earlier

Impact

An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.

CVSS 3.1 base score: 5.4 (Medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C

Remediation

Upgrade to Directus v9.7.0 or later. See release notes for latest version available (https://github.com/directus/directus/releases)

Discovery credit

As the researcher who discovered the vulnerability, I would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely matter.