CVE-2022-22117

In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.
Cross-site Scripting
Severity
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Atk. Vector
NETWORK
Atk. Complexity
LOW
Priv. Required
LOW
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
VendorProductVersion
rangerstudiodirectus
9.0.1 ≤
𝑥
≤ 9.4.1
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
rangerstudiodirectus
9.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22117
https://github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22117