A cross-site scripting (XSS) vulnerability has been patched in the popular Directus engine.
Directus is an open source, modular content management system (CMS) promoted as a “flexible powerhouse for engineers.” The platform can be used to wrap SQL databases with GraphQL and REST APIs.
Directus has achieved 14.9k stars on GitHub and there are approximately 1,700 forks.
Discovered by Synopsys Cybersecurity Research Center (CyRC) researcher David Johansson, the vulnerability is tracked as CVE-2022-24814 and can lead to account compromise.
Impacting Directus v9.6.0 and earlier, CVE-2022-24814 was found in the file upload functionality of the CMS.
“Unauthorized JavaScript can be executed by inserting an iframe into the rich text HTML interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag,” Directus explained. “This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS.”
According to Synopsys, authenticated users can create a stored XSS attack that triggers when other users try to view “certain” collections or files on the platform.
A similar issue, tracked under CVEs CVE-2022-22116 and CVE-2022-22117, was previously disclosed in the Directus App. However, the mitigation improvements did not go far enough and so could be bypassed, the researchers added.
Synopsys disclosed its findings to Directus on January 28. The platform’s team triaged the vulnerability and released v3.7.0 on March 18 to resolve the security issue. In addition, Directus improved a “very permissive’ default value for CORS configuration which could lead to unauthorized access when configurations had not been changed.
The latest build is v3.9.0.
“Synopsys would like to commend the Directus team for their responsiveness and for addressing this vulnerability in a timely manner,” the company said.
In related news, VMware published a security advisory on April 6 urging customers to patch software including VMware Workspace ONE Access, Identity Manager (vIDM), and vRealize Automation (vRA) to patch bugs leading to remote code execution (RCE), among other issues.
See also
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0