icon

We found results for “

CVE-2022-22117

Date: January 10, 2022

Overview

In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.

Details

Directus application allows unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability.
A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it in a new tab, the XSS payload gets triggered.

PoC Details

Login to the application with a low privileged user.
Go to the files section and upload the file with the XSS payload given below. Go to the users section and click on your user. On the “avatar” field, click on the “choose file from library” option, select the html file and save.
In a private window, login as an administrator. Again go to the users section and click on the low privileged user. Hover over the profile image icon and open the image in a new tab. Notice the XSS is triggered.

PoC Code

<html>
    <body>
        <script>alert(document.domain)</script>
    </body>
</html>

Affected Environments

Github - v9.0.0-alpha.4 through v9.4.1; NPM - 9.0.0-alpha.5 through 9.4.1

Prevention

Update to directus version 9.4.2

Language: TYPE_SCRIPT

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version directus - 9.4.2

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: