Unrated severityNVD Advisory· Published Jan 10, 2022· Updated Sep 16, 2024
Directus - Stored Cross-Site Scripting (XSS) in Profile Avatar Image
CVE-2022-22117
Description
In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10mitrex_refsource_MISC
- www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22117mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.