We found results for “”
CVE-2022-22117
Date: January 10, 2022
Overview
In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.Details
Directus application allows unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability.A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it in a new tab, the XSS payload gets triggered.
PoC Details
Login to the application with a low privileged user.Go to the files section and upload the file with the XSS payload given below. Go to the users section and click on your user. On the “avatar” field, click on the “choose file from library” option, select the html file and save.
In a private window, login as an administrator. Again go to the users section and click on the low privileged user. Hover over the profile image icon and open the image in a new tab. Notice the XSS is triggered.
PoC Code
<html>
<body>
<script>alert(document.domain)</script>
</body>
</html>
Affected Environments
Github - v9.0.0-alpha.4 through v9.4.1; NPM - 9.0.0-alpha.5 through 9.4.1Prevention
Update to directus version 9.4.2Language: TYPE_SCRIPT
Good to know:
Base Score: |
|
---|---|
Attack Vector (AV): | Network |
Attack Complexity (AC): | Low |
Privileges Required (PR): | Low |
User Interaction (UI): | Required |
Scope (S): | Changed |
Confidentiality (C): | Low |
Integrity (I): | Low |
Availability (A): | None |
Base Score: |
|
---|---|
Access Vector (AV): | Network |
Access Complexity (AC): | Medium |
Authentication (AU): | Single |
Confidentiality (C): | None |
Integrity (I): | Partial |
Availability (A): | None |
Additional information: |