Описание
Directus has an HTML Injection in Comment
Summary
The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.
Details
The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.
Example Request:
Example Response:
Example Result:
Impact
With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.
Пакеты
@directus/app
>= 11.0.0, < 13.3.1
13.3.1
directus
>= 10.10.0, < 10.13.4
10.13.4
directus
>= 11.0.0-rc.1, < 11.2.2
11.2.2
Связанные уязвимости
Directus is a real-time API and App dashboard for managing SQL database content. The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection. This vulerability is fixed in 10.13.4 and 11.2.0.