Login Sign Up

CVE-2022-24814

8.8 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to execute arbitrary JavaScript in Directus by uploading HTML and JS files and embedding them in rich text fields. It affects Directus instances prior to version 9.7.0 where users can upload files and use rich text interfaces. The attack bypasses content security policies through iframe manipulation.

💻 Affected Systems

Products:
  • Directus
Versions: All versions prior to 9.7.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires file upload functionality and rich text HTML interface to be enabled and accessible to users.

📦 What is this software?

Directus by Rangerstudio

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Directus instance allowing data theft, account takeover, and further server exploitation through client-side attacks.

🟠

Likely Case

Cross-site scripting attacks leading to session hijacking, data manipulation, and unauthorized actions within the application.

🟢

If Mitigated

Limited impact with proper input validation and content security policies, potentially only affecting user interface elements.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user access to upload files and use rich text fields, but the technique is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.7.0

Vendor Advisory: https://github.com/directus/directus/security/advisories/GHSA-xmjj-3c76-5w84

Restart Required: Yes

Instructions:

1. Backup your Directus instance and database. 2. Update Directus to version 9.7.0 or later. 3. Restart the Directus service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Live Embeds

all

Disable the live embed feature in the WYSIWYG editor to prevent iframe-based exploitation

Add { "media_live_embeds": false } to the Options Overrides setting of the Rich Text HTML interface

🧯 If You Can't Patch

  • Restrict file upload permissions to trusted users only
  • Implement additional content security policies and input validation for rich text fields

🔍 How to Verify

Check if Vulnerable:

Check Directus version - if below 9.7.0 and rich text interfaces are enabled, the system is vulnerable

Check Version:

Check package.json or Directus admin interface for version information

Verify Fix Applied:

Verify Directus version is 9.7.0 or higher and test rich text field functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload patterns
  • Multiple HTML/JS file uploads from single users
  • Rich text field modifications containing iframe tags

Network Indicators:

  • Requests to uploaded HTML/JS files from rich text interfaces
  • Cross-origin requests from embedded iframes

SIEM Query:

source="directus" AND (event="file_upload" AND file_extension IN ("html", "js")) OR (event="content_update" AND content CONTAINS "iframe")

📊 Metadata

CVE ID: CVE-2022-24814
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: April 4, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24814, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)