CVE-2022-24814
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus
Description
### Impact Unauthorized JavaScript can be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS. ### Patches This was resolved in https://github.com/directus/directus/pull/12020 which is released in 9.7.0 ### Workarounds You can disable the live embed in the WYSIWYG by adding `{ "media_live_embeds": false }` to the _Options Overrides_ option of the Rich Text HTML interface. ### References https://github.com/directus/directus/pull/12020 ### For more information If you have any questions or comments about this advisory: * Open an issue in [directus/directus](https://github.com/directus/directus) * Email us at [security@directus.io](mailto:security@directus.io)
How to fix CVE-2022-24814
To remediate CVE-2022-24814, upgrade the affected package to a fixed version below.
- —upgrade to 9.7.0 or later
Is CVE-2022-24814 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.7.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |