CyRC Vulnerability Advisory: Stored XSS In Directus

CVE-2022-24814 is a stored XSS vulnerability that can lead to account compromise in the admin application of Directus.

Overview

Synopsys Cybersecurity Research Center (CyRC) research has identified a stored cross-site scripting (XSS) vulnerability in Directus, a popular open source headless content management system (CMS) built in JavaScript. Directus is a web-based admin application that allows users to view and manage content and collections.

The issue found in the Directus App is

• CVE-2022-24814: Stored XSS in file upload of Directus 

Note: A similar issue was previously reported in CVE-2022-22116 and CVE-2022-22117; however, the mitigation implemented for these issues in Directus 9.4.2 is not effective and can be bypassed.

Affected software

• Directus v9.6.0 and earlier

Impact

An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.

CVSS 3.1 base score: 5.4 (Medium)

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C 

Remediation

Upgrade to Directus v9.7.0 or later. See release notes for latest version available (https://github.com/directus/directus/releases) 

Discovery credit

David Johansson, a researcher from the Synopsys Cybersecurity Research Center, discovered this vulnerability.

Synopsys would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely manner.

Timeline

• January 28, 2022: Initial disclosure 
• March 7, 2022: Directus security team confirms the vulnerability and intent to patch it
• March 18, 2022: Directus v3.7.0 is released with a fix for CVE-2022-24814
• April 6, 2022: Advisory published by Synopsys