CVE-2022-24814 is a stored XSS vulnerability that can lead to account compromise in the admin application of Directus.
The issue found in the Directus App is
- CVE-2022-24814: Stored XSS in file upload of Directus
- Directus v9.6.0 and earlier
An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus. In a worst-case scenario, this could lead to the compromise of an admin account and give the attacker full access to all data and settings within Directus.
CVSS 3.1 base score: 5.4 (Medium)
CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C
Upgrade to Directus v9.7.0 or later. See release notes for latest version available (https://github.com/directus/directus/releases)
David Johansson, a researcher from the Synopsys Cybersecurity Research Center, discovered this vulnerability.
Synopsys would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely manner.
- January 28, 2022: Initial disclosure
- March 7, 2022: Directus security team confirms the vulnerability and intent to patch it
- March 18, 2022: Directus v3.7.0 is released with a fix for CVE-2022-24814
- April 6, 2022: Advisory published by Synopsys