Security Advisory

CVE-2022-22117

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2022-01-10 15:26:45

Last updated 2024-09-16 18:44:02

Assigner Mend

State PUBLISHED

Description

In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.

← Browse all CVEs View on cve.org ↗