Directus XSS flaw addressed

ZDNet reports that Directus has issued a fix for a cross-site scripting vulnerability impacting versions 9.6.0 and earlier of the open source modular content management system. The flaw, tracked as CVE-2022-24814, was identified by Synopsys Cybersecurity Research Center researcher David Johansson within the CMS' file upload functionality and could be exploited to compromise accounts. "Unauthorized JavaScript can be executed by inserting an iframe into the rich text HTML interface that links to a file uploaded HTML file that loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, which in turn allows the file to run any arbitrary JS," said Directus. The bug could also be leveraged to establish a stored XSS attack prompted by viewing certain files or collections, according to Synopsys, which added that two other similar vulnerabilities have been reported in the Directus App. However, mitigations for the said bugs have been evaded, said researchers.