CVE-2022-24814: XSS
First published: Mon Apr 04 2022(Updated: )
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 9.7.0, unauthorized JavaScript (JS) can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. This issue was resolved in version 9.7.0. As a workaround, disable the live embed in the what-you-see-is-what-you-get by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rangerstudio Directus | <9.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-24814?
CVE-2022-24814 is a vulnerability in Directus, a real-time API and App dashboard for managing SQL database content.
What is the severity of CVE-2022-24814?
The severity of CVE-2022-24814 is high with a CVSS score of 6.1.
How does CVE-2022-24814 work?
CVE-2022-24814 allows unauthorized JavaScript to be executed by inserting an iframe into the rich text HTML interface and linking it to a file that loads another uploaded JS file.
Which versions of Directus are affected by CVE-2022-24814?
Versions up to and excluding 9.7.0 of Directus are affected by CVE-2022-24814.
How can I fix CVE-2022-24814?
To fix CVE-2022-24814, update Directus to version 9.7.0 or later.
- collector/nvd-index
- agent/references
- agent/event
- agent/tags
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/rangerstudio
- canonical/rangerstudio directus