Lucene search

MendCVELIST:CVE-2022-22117

HistoryJan 10, 2022 - 3:26 p.m.

CVE-2022-22117 Directus - Stored Cross-Site Scripting (XSS) in Profile Avatar Image

2022-01-1015:26:45

CWE-79

Mend

www.cve.org

directus

cross-site scripting

html file upload

profile avatar image

vulnerability

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.

CNA Affected

[
  {
    "product": "directus",
    "vendor": "directus",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "9.4.1",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10

www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22117