Home Latest Cyber Security News | Network Security Hacking Serious XSS Vulnerability Found In Directus Open Data Platform
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Serious XSS Vulnerability Found In Directus Open Data Platform

by Abeerah Hashim
written by Abeerah Hashim
Directus XSS vulnerability

A serious security vulnerability existed in the Directus CMS that could allow XSS attacks. The vendors patched the bug soon after it caught the attention, and released the fix with the subsequent software update.

Directus XSS Vulnerability

According to a recent report from Synopsys Cybersecurity Research Center (CyRC), its researchers found a cross-site scripting (XSS) flaw in the Directus CMS.

Specifically, the Directus Open Data Platform is an open-source headless CMS that facilitates database management. The JavaScript-based software lets the users view and manage data and content without hassle.

Regarding the vulnerability, the researcher David Johansson explained that he caught a stored XSS vulnerability in the file upload functionality of the Directus platform. As described,

An authenticated user with access to Directus can abuse the file upload functionality to create a stored XSS attack that is automatically executed when other users view certain collections or files within Directus.

In the worst exploit, an adversary succeeding in compromising the admin could even gain access to Directus data and settings.

The vulnerability, CVE-2022-24814, has received a medium-severity rating with a CVSS score of 5.4.

The researcher explained that this bug isn’t the first such case. Instead, two other vulnerabilities, CVE-2022-22116 and CVE-2022-22117, had previously drawn attention as well. In fact, the vendors even fixed those flaws with the software version 9.4.2. However, it remained possible to bypass the patches, and thus, the vulnerability affected all platforms including and before Directus v9.6.0.

Nonetheless, the vendors, upon receiving the bug report for CVE-2022-24814, worked again to fix it. Consequently, they released the fix with Directus v9.7.0.

Though this isn’t the latest version, and the vendors have even rolled out the Directus v9.8.0 earlier this month. But since they all include the patch, Directus users must ensure upgrading to the latest version to stay up to date with all the recent feature and security upgrades.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...