Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-XMJJ-3C76-5W84
HistoryApr 05, 2022 - 6:30 p.m.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus

2022-04-0518:30:15
Google
osv.dev
13

0.001 Low

EPSS

Percentile

35.2%

JSON

Impact

Unauthorized JavaScript can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS.

Patches

This was resolved in https://github.com/directus/directus/pull/12020 which is released in 9.7.0

Workarounds

You can disable the live embed in the WYSIWYG by adding { "media_live_embeds": false } to the Options Overrides option of the Rich Text HTML interface.

References

https://github.com/directus/directus/pull/12020

For more information

If you have any questions or comments about this advisory:

CPENameOperatorVersion
directuslt9.7.0

Related

cve 1
osv 1
veracode 1
github 1
cvelist 1
cnvd 1
prion 1
nvd 1
cve
cve
CVE-2022-24814
2022-04-04 18:15:08
osv
osv
CVE-2022-24814
2022-04-04 18:15:08
veracode
veracode
Cross-Site Scripting (XSS)
2022-04-05 12:08:46
github
github
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus
2022-04-05 18:30:15
cvelist
cvelist
CVE-2022-24814 Cross-site Scripting in Directus
2022-04-04 17:50:11
cnvd
cnvd
Directus Cross-Site Scripting Vulnerability (CNVD-2022-81371)
2022-04-07 00:00:00
prion
prion
Design/Logic Flaw
2022-04-04 18:15:00
nvd
nvd
CVE-2022-24814
2022-04-04 18:15:08

0.001 Low

EPSS

Percentile

35.2%

JSON
Related for OSV:GHSA-XMJJ-3C76-5W84
cve1osv1veracode1github1cvelist1cnvd1prion1nvd1