CVE-2022-22116

In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victims browser when they open the image URL.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
MendCNA
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
VendorProductVersion
rangerstudiodirectus
9.0.1 ≤
𝑥
≤ 9.4.1
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0:alpha10
rangerstudiodirectus
9.0.0:alpha11
rangerstudiodirectus
9.0.0:alpha12
rangerstudiodirectus
9.0.0:alpha13
rangerstudiodirectus
9.0.0:alpha14
rangerstudiodirectus
9.0.0:alpha15
rangerstudiodirectus
9.0.0:alpha16
rangerstudiodirectus
9.0.0:alpha17
rangerstudiodirectus
9.0.0:alpha18
rangerstudiodirectus
9.0.0:alpha19
rangerstudiodirectus
9.0.0:alpha20
rangerstudiodirectus
9.0.0:alpha21
rangerstudiodirectus
9.0.0:alpha22
rangerstudiodirectus
9.0.0:alpha23
rangerstudiodirectus
9.0.0:alpha24
rangerstudiodirectus
9.0.0:alpha25
rangerstudiodirectus
9.0.0:alpha26
rangerstudiodirectus
9.0.0:alpha27
rangerstudiodirectus
9.0.0:alpha31
rangerstudiodirectus
9.0.0:alpha32
rangerstudiodirectus
9.0.0:alpha33
rangerstudiodirectus
9.0.0:alpha34
rangerstudiodirectus
9.0.0:alpha35
rangerstudiodirectus
9.0.0:alpha36
rangerstudiodirectus
9.0.0:alpha37
rangerstudiodirectus
9.0.0:alpha38
rangerstudiodirectus
9.0.0:alpha39
rangerstudiodirectus
9.0.0:alpha4
rangerstudiodirectus
9.0.0:alpha40
rangerstudiodirectus
9.0.0:alpha41
rangerstudiodirectus
9.0.0:alpha42
rangerstudiodirectus
9.0.0:alpha5
rangerstudiodirectus
9.0.0:alpha6
rangerstudiodirectus
9.0.0:alpha7
rangerstudiodirectus
9.0.0:alpha8
rangerstudiodirectus
9.0.0:alpha9
rangerstudiodirectus
9.0.0:beta0
rangerstudiodirectus
9.0.0:beta1
rangerstudiodirectus
9.0.0:beta10
rangerstudiodirectus
9.0.0:beta11
rangerstudiodirectus
9.0.0:beta12
rangerstudiodirectus
9.0.0:beta13
rangerstudiodirectus
9.0.0:beta14
rangerstudiodirectus
9.0.0:beta2
rangerstudiodirectus
9.0.0:beta3
rangerstudiodirectus
9.0.0:beta4
rangerstudiodirectus
9.0.0:beta5
rangerstudiodirectus
9.0.0:beta7
rangerstudiodirectus
9.0.0:beta8
rangerstudiodirectus
9.0.0:beta9
rangerstudiodirectus
9.0.0:rc0
rangerstudiodirectus
9.0.0:rc1
rangerstudiodirectus
9.0.0:rc10
rangerstudiodirectus
9.0.0:rc100
rangerstudiodirectus
9.0.0:rc101
rangerstudiodirectus
9.0.0:rc11
rangerstudiodirectus
9.0.0:rc12
rangerstudiodirectus
9.0.0:rc13
rangerstudiodirectus
9.0.0:rc14
rangerstudiodirectus
9.0.0:rc15
rangerstudiodirectus
9.0.0:rc17
rangerstudiodirectus
9.0.0:rc18
rangerstudiodirectus
9.0.0:rc19
rangerstudiodirectus
9.0.0:rc2
rangerstudiodirectus
9.0.0:rc20
rangerstudiodirectus
9.0.0:rc21
rangerstudiodirectus
9.0.0:rc22
rangerstudiodirectus
9.0.0:rc23
rangerstudiodirectus
9.0.0:rc24
rangerstudiodirectus
9.0.0:rc25
rangerstudiodirectus
9.0.0:rc26
rangerstudiodirectus
9.0.0:rc27
rangerstudiodirectus
9.0.0:rc28
rangerstudiodirectus
9.0.0:rc29
rangerstudiodirectus
9.0.0:rc3
rangerstudiodirectus
9.0.0:rc30
rangerstudiodirectus
9.0.0:rc31
rangerstudiodirectus
9.0.0:rc32
rangerstudiodirectus
9.0.0:rc33
rangerstudiodirectus
9.0.0:rc34
rangerstudiodirectus
9.0.0:rc35
rangerstudiodirectus
9.0.0:rc36
rangerstudiodirectus
9.0.0:rc37
rangerstudiodirectus
9.0.0:rc38
rangerstudiodirectus
9.0.0:rc39
rangerstudiodirectus
9.0.0:rc4
rangerstudiodirectus
9.0.0:rc40
rangerstudiodirectus
9.0.0:rc41
rangerstudiodirectus
9.0.0:rc42
rangerstudiodirectus
9.0.0:rc43
rangerstudiodirectus
9.0.0:rc44
rangerstudiodirectus
9.0.0:rc45
rangerstudiodirectus
9.0.0:rc46
rangerstudiodirectus
9.0.0:rc47
rangerstudiodirectus
9.0.0:rc48
rangerstudiodirectus
9.0.0:rc49
rangerstudiodirectus
9.0.0:rc5
rangerstudiodirectus
9.0.0:rc50
rangerstudiodirectus
9.0.0:rc51
rangerstudiodirectus
9.0.0:rc52
rangerstudiodirectus
9.0.0:rc53
rangerstudiodirectus
9.0.0:rc54
rangerstudiodirectus
9.0.0:rc55
rangerstudiodirectus
9.0.0:rc56
rangerstudiodirectus
9.0.0:rc57
rangerstudiodirectus
9.0.0:rc58
rangerstudiodirectus
9.0.0:rc59
rangerstudiodirectus
9.0.0:rc6
rangerstudiodirectus
9.0.0:rc60
rangerstudiodirectus
9.0.0:rc61
rangerstudiodirectus
9.0.0:rc62
rangerstudiodirectus
9.0.0:rc63
rangerstudiodirectus
9.0.0:rc64
rangerstudiodirectus
9.0.0:rc65
rangerstudiodirectus
9.0.0:rc66
rangerstudiodirectus
9.0.0:rc67
rangerstudiodirectus
9.0.0:rc68
rangerstudiodirectus
9.0.0:rc69
rangerstudiodirectus
9.0.0:rc7
rangerstudiodirectus
9.0.0:rc70
rangerstudiodirectus
9.0.0:rc71
rangerstudiodirectus
9.0.0:rc72
rangerstudiodirectus
9.0.0:rc73
rangerstudiodirectus
9.0.0:rc74
rangerstudiodirectus
9.0.0:rc75
rangerstudiodirectus
9.0.0:rc76
rangerstudiodirectus
9.0.0:rc77
rangerstudiodirectus
9.0.0:rc78
rangerstudiodirectus
9.0.0:rc79
rangerstudiodirectus
9.0.0:rc8
rangerstudiodirectus
9.0.0:rc80
rangerstudiodirectus
9.0.0:rc81
rangerstudiodirectus
9.0.0:rc82
rangerstudiodirectus
9.0.0:rc83
rangerstudiodirectus
9.0.0:rc84
rangerstudiodirectus
9.0.0:rc85
rangerstudiodirectus
9.0.0:rc86
rangerstudiodirectus
9.0.0:rc87
rangerstudiodirectus
9.0.0:rc88
rangerstudiodirectus
9.0.0:rc89
rangerstudiodirectus
9.0.0:rc9
rangerstudiodirectus
9.0.0:rc90
rangerstudiodirectus
9.0.0:rc91
rangerstudiodirectus
9.0.0:rc92
rangerstudiodirectus
9.0.0:rc93
rangerstudiodirectus
9.0.0:rc94
rangerstudiodirectus
9.0.0:rc95
rangerstudiodirectus
9.0.0:rc96
rangerstudiodirectus
9.0.0:rc97
rangerstudiodirectus
9.0.0:rc98
rangerstudiodirectus
9.0.0:rc99
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22116
https://github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22116