CVE-2022-22117

Public Exploit
Directus - Stored Cross-Site Scripting (XSS) in Profile Avatar Image

Description

In Directus, versions 9.0.0-alpha.4 through 9.4.1 allow unrestricted file upload of .html files in the media upload functionality, which leads to Cross-Site Scripting vulnerability. A low privileged attacker can upload a crafted HTML file as a profile avatar, and when an admin or another user opens it, the XSS payload gets triggered.

Remediation

Solution:

  • Update to directus version 9.4.2

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.19%
Third-Party Advisory github.com Third-Party Advisory whitesourcesoftware.com
Affected: directus directus
Published at:
Updated at:

References

Link Tags
https://github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10 third party advisory patch
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22117 third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2022-22117?
CVE-2022-22117 has been scored as a medium severity vulnerability.
How to fix CVE-2022-22117?
To fix CVE-2022-22117: Update to directus version 9.4.2
Is CVE-2022-22117 being actively exploited in the wild?
It is possible that CVE-2022-22117 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-22117?
CVE-2022-22117 affects directus directus.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.