First published: Mon Apr 04 2022(Updated: )
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Rangerstudio Directus | <9.7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-24814 is a vulnerability in Directus, a real-time API and App dashboard for managing SQL database content.
The severity of CVE-2022-24814 is high with a CVSS score of 6.1.
CVE-2022-24814 allows unauthorized JavaScript to be executed by inserting an iframe into the rich text HTML interface and linking it to a file that loads another uploaded JS file.
Versions up to and excluding 9.7.0 of Directus are affected by CVE-2022-24814.
To fix CVE-2022-24814, update Directus to version 9.7.0 or later.