According to a recent advisory from the Synopsys Cybersecurity Research Centre, a stored cross-site scripting (XSS) vulnerability in the widely used Directus content management system (CMS) might lead to account compromise in the service’s admin application if not swiftly remedied (CyRC).
CVE-2022-24814 is an open source, web-based framework used to manage SQL-based databases and connect their contents via an application programming interface (API) into multiple clients or websites. It was discovered and identified by CyRC researcher David Johansson.
CVE-2022-24814 is identical to two previously reported vulnerabilities – CVE-2022-22116 and CVE-2022-22117 – and bypasses a previous mitigation provided in Directus 9.4.2 for these bugs. It has a CVSS base score of 5.4, indicating that it has a medium influence.
Finally, it allows an authenticated user with Directus access to craft a stored XSS attack that executes automatically when other users view collections or files in Directus by abusing its file upload functionality.
The vulnerability was first reported on January 28, 2022, and confirmed on March 7, 2022. Directus released version 3.7.0 on March 18th, which includes a remedy for CVE-2022-24814. Users who haven’t updated to this version yet should do so immediately. Directus, according to Synopsys, had moved quickly and responsively throughout the investigation.
CVE-2022-24814 stems from a similar source as Log4Shell, which catapulted issues concerning open source tools and their use within organisations to prominence at the end of 2021.
The recent disclosure of a problem in a widely used open source resource that underpins critical components of many organisations’ operations emphasises the necessity for security personnel to know exactly what is being utilised by the IT and development teams they are responsible with protecting.