CVE-2022-24814: 
JavaScript vulnerability analysis and mitigation

Directus, a real-time API and App dashboard for managing SQL database content, was affected by a cross-site scripting (XSS) vulnerability tracked as CVE-2022-24814. The vulnerability was discovered in versions prior to 9.7.0 and was disclosed on April 4, 2022. The issue affected the file upload functionality of the content management system (ZDNET, NVD).

The vulnerability allowed unauthorized JavaScript execution through a specific attack chain. An attacker could insert an iframe into the rich text HTML interface that links to an uploaded HTML file, which in turn loads another uploaded JavaScript file in its script tag. This method bypassed the regular content security policy header, enabling arbitrary JavaScript execution. The vulnerability received a CVSS v3.1 base score of 6.1 (MEDIUM) from NVD and 8.8 (HIGH) from GitHub (NVD).

If successfully exploited, the vulnerability could lead to account compromise through unauthorized JavaScript execution. The attack could be triggered when users viewed certain collections or files on the platform, potentially allowing attackers to execute arbitrary code in the context of the user's session (ZDNET).

The vulnerability was patched in Directus version 9.7.0. For users unable to upgrade immediately, a workaround was provided to disable the live embed feature in the WYSIWYG editor by adding { "media_live_embeds": false } to the Options Overrides option of the Rich Text HTML interface (GitHub Advisory, Directus Release).