A stored cross-site scripting (XSS) vulnerability in the widely used Directus content management system (CMS) could lead to account compromise in the service’s admin application if not promptly mitigated, according to a new advisory from the Synopsys Cybersecurity Research Centre (CyRC).
Discovered and flagged by CyRC researcher David Johansson, CVE-2022-24814 affects version 9.6.0 and earlier of Directus, which is an open source, web-based framework used to manage SQL-based databases and connect their contents via an application programming interface (API) into various clients or websites.
CVE-2022-24814 is similar to two earlier-reported issues – CVE-2022-22116 and CVE-2022-22117 – and bypasses a previous mitigation implemented for these bugs in Directus 9.4.2. It has been assigned a CVSS base score of 5.4, making it of medium impact.
Ultimately, it enables an authenticated user with access to Directus to abuse its file upload functionality to craft a stored XSS attack that executes automatically when other users view collections or files in Directus.
“Due to the nature of XSS attacks, the potential damage depends largely on the privileges of the user being targeted,” said Johansson. “In the general case, it would give the attacker an ability to compromise another user’s account and perform actions, such as adding or modifying data, that are attributed to that user without their knowledge or consent.
“In a worst-case scenario where an admin user is affected, the malicious actor would be able to steal any information held within the Directus system, as well as causing disruption by deleting data or changing the system configuration.”
Johansson told Computer Weekly he had not seen any evidence of active exploitation of the vulnerability, but it could not be ruled out. “Attackers may start to target installations that haven’t yet upgraded, so it is always advisable to upgrade as soon as possible, even if there is no firm evidence of active exploitation,” he said.
The vulnerability was initially disclosed on 28 January 2022, and confirmed on 7 March. On 18 March, Directus released version 3.7.0, which incorporates a fix for CVE-2022-24814. Users who have not yet updated to this version should do so. Synopsys said Directus had acted responsively throughout, and had addressed the vulnerability in a timely manner.
While by no means as impactful as Log4Shell, which catapulted issues around open source tools and their use within organisations to prominence at the end of 2021, CVE-2022-24814 ultimately springs from a similar source.
The latest disclosure of a bug in a widely used open source resource that underpins essential components of many organisations’ work highlights the need for security teams to understand precisely what is being used by the IT and development teams it is tasked with protecting.
“There has been plenty of discussion in the industry about whether open source or proprietary tools are more secure or prone to vulnerabilities, but that debate misses the point,” said Greg Fitzgerald, co-founder of IT asset management specialist Sevco Security.
“Regardless of what types of tools you’re using, the biggest risk for organisations is losing track of their IT asset inventory. Enterprises are littered with forgotten or abandoned deployments, and whether it’s open source or proprietary, a single unpatched instance can be enough for malicious actors to get a foothold in your network.
“In order to protect the entirety of your attack surface, the priority for security teams needs to be creating and maintaining a comprehensive inventory of every IT asset that touches the network.”
Johansson added: “Before using any new software component, it should go through some form of risk assessment. For example, if it’s an open source software component, you could look at how actively it’s being maintained and review timelines and responses to previous vulnerability disclosures, if there are any.
“To get a better picture of potential vulnerabilities, it may be appropriate to do some security testing of the software. In general, the amount and depth of testing needed should be driven by the potential impact. For example, if the software component is used in a business-critical application, then it might warrant a more comprehensive security review.
“Finally, it is also important to keep track of all software components and versions used within an organisation, so that you have the ability to react quickly when a new vulnerability is disclosed. Software composition analysis (SCA) tools can help with that effort.”