Directus Stored Cross-Site Scripting Vulnerability in Block Editor

A stored cross-site scripting vulnerability has been identified in Directus versions prior to 11.13.0. This vulnerability allows users with 'upload files' and 'edit item' permissions to inject malicious JavaScript through the Block Editor interface. The issue arises from inadequate sanitization of JSON content containing HTML elements, enabling attackers to upload harmful scripts and execute them when the content is viewed. Notably, the exploitation can bypass Content Security Policy restrictions by using iframe srcdoc attributes to load the injected scripts, resulting in persistent XSS execution.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected scripts are executed whenever the affected content is accessed. This could allow for session hijacking, administrative compromise if an admin views the content, and data exfiltration of sensitive information displayed in the application.

Reproduction

To reproduce this vulnerability, first upload a malicious JavaScript file through the files endpoint, targeting the assets directory. Then, create or edit an item using the Block Editor interface. Inject raw HTML that includes an iframe referencing the uploaded JavaScript file via its file ID. The iframe's srcdoc attribute will load the script, circumventing any Content Security Policy protections.

Remediation

Users should update to Directus version 11.13.0 or later, where this vulnerability has been patched.