CVE-2022-22117
Directus contains a Cross-Site Scripting vulnerability in its media upload flow (versions 9.0.0-alpha.4 through 9.4.1) where unrestricted HTML file uploads can be used as a profile avatar. A low-privilege attacker can upload a crafted HTML file, and when an admin or another user opens it, the XSS...