XSS vulnerability patched in Directus data engine platform

A cross-site scripting (XSS) vulnerability has been patched in the popular Directus engine. 

Directus is an open source, modular content management system (CMS) promoted as a “flexible powerhouse for engineers.” The platform can be used to wrap SQL databases with GraphQL and REST APIs. 

Directus has achieved 14.9k stars on GitHub and there are approximately 1,700 forks. 

Discovered by Synopsys Cybersecurity Research Center (CyRC) researcher David Johansson, the vulnerability is tracked as CVE-2022-24814 and can lead to account compromise. 

Impacting Directus v9.6.0 and earlier, CVE-2022-24814 was found in the file upload functionality of the CMS. 

“Unauthorized JavaScript can be executed by inserting an iframe into the rich text HTML interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag,” Directus explained. “This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS.”

According to Synopsys, authenticated users can create a stored XSS attack that triggers when other users try to view “certain” collections or files on the platform. 

A similar issue, tracked under CVEs CVE-2022-22116 and CVE-2022-22117, was previously disclosed in the Directus App. However, the mitigation improvements did not go far enough and so

Read More: https://www.zdnet.com/article/xss-vulnerability-patched-in-directus-data-engine-platform/#ftag=RSSbaffb68