A cross-site scripting (XSS) vulnerability has been patched in the popular Directus engine.
Directus is an open source, modular content management system (CMS) promoted as a “flexible powerhouse for engineers.” The platform can be used to wrap SQL databases with GraphQL and REST APIs.
Directus has achieved 14.9k stars on GitHub and there are approximately 1,700 forks.
Discovered by Synopsys Cybersecurity Research Center (CyRC) researcher David Johansson, the vulnerability is tracked as CVE-2022-24814 and can lead to account compromise.
Impacting Directus v9.6.0 and earlier, CVE-2022-24814 was found in the file upload functionality of the CMS.
According to Synopsys, authenticated users can create a stored XSS attack that triggers when other users try to view “certain” collections or files on the platform.