CVE-2022-22117

Overview

In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.

Details

Directus application allows unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability.
A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it in a new tab, the XSS payload gets triggered.

PoC Details

Login to the application with a low privileged user.
Go to the files section and upload the file with the XSS payload given below. Go to the users section and click on your user. On the “avatar” field, click on the “choose file from library” option, select the html file and save.
In a private window, login as an administrator. Again go to the users section and click on the low privileged user. Hover over the profile image icon and open the image in a new tab. Notice the XSS is triggered.

PoC Code

<html>
    <body>
        <script>alert(document.domain)</script>
    </body>
</html>

Affected Environments

Github - v9.0.0-alpha.4 through v9.4.1; NPM - 9.0.0-alpha.5 through 9.4.1

Prevention

Update to directus version 9.4.2