The open source CMS platform Directus patches the XSS bug
According to a new recommendation from the Synopsys Cybersecurity Research Center (CyRC), a stored cross-site scripting (XSS) vulnerability in the widely used content management system (CMS) Directus could lead to account compromise in the service’s management application if it is not remedied immediately. .
CVE-2022-24814 was discovered and reported by CyRC researcher David Johansson and affects version 9.6.0 and earlier of Directus, an open-source web-based framework used to manage SQL-based databases and connect their contents through an application programming interface is used (API) in different clients or websites.
CVE-2022-24814 is similar to two previously reported issues – CVE-2022-22116 and CVE-2022-22117 – and bypasses a previous mitigation implemented for these bugs in Directus 9.4.2. It has been assigned a CVSS baseline score of 5.4, giving it a medium impact.
Ultimately, it allows an authenticated user with access to Directus to abuse its file upload feature to create a stored XSS attack that runs automatically when other users view collections or files in Directus.
“Due to the nature of XSS attacks, the potential damage depends largely on the privileges of the attacked user,” Johansson said. “In general, it would give the attacker the ability to compromise another user’s account and perform actions such as: B. Adding or changing data attributed to that user without their knowledge or consent.
“In a worst-case scenario where an admin user is affected, the malicious actor could steal all information stored in the Directus system and cause disruption by deleting data or changing the system configuration.”
Johansson told Computer Weekly that he hadn’t seen any evidence of active exploitation of the vulnerability, but that it couldn’t be ruled out. “Attackers could start attacking installations that have not yet been updated, so it’s always advisable to update as soon as possible, even if there’s no clear evidence of active exploitation,” he said.
The vulnerability was originally disclosed on January 28, 2022 and confirmed on March 7th. On March 18th Directus released version 3.7.0 which contains a fix for CVE-2022-24814. Users who have not yet updated to this version should do so. Synopsys said Directus was consistently responsive and fixed the vulnerability in a timely manner.
While CVE-2022-24814 is by no means as influential as Log4Shell, which catapulted problems with open source tools and how organizations use them to the fore in late 2021, it ultimately came from a similar source.
The recent disclosure of a flaw in a widely used open source resource that underpins essential components of many organizations’ work underscores the need for security teams to understand exactly what is being used by the IT and development teams they are tasked with protecting .
“There has been much debate in the industry about whether open-source or proprietary tools are more secure or more vulnerable to vulnerabilities, but this debate misses the point,” said Greg Fitzgerald, co-founder of IT asset management specialist Sevco Security.
“Regardless of what types of tools you use, the biggest risk companies face is losing track of their inventory of IT assets. Enterprises are littered with forgotten or abandoned deployments, and whether open source or proprietary, a single unpatched instance can be enough for malicious actors to invade your network.
“To protect your entire attack surface, the priority for security teams must be to create and maintain a comprehensive inventory of all IT assets touching the network.”
Johansson added: “Before a new software component is used, it should undergo a risk assessment. For example, if the software component is open source, you can look at how actively it is maintained and review timelines and responses to previous vulnerability disclosures, if any.
“In order to get a better picture of potential vulnerabilities, it may be appropriate to run some security tests on the software. In general, the potential impact should determine the scope and depth of testing required. For example, if the software component is used in a mission-critical application, a more comprehensive security review may be warranted.
“Finally, it’s also important to keep track of all software components and versions used within an organization so you can react quickly when a new vulnerability becomes known. Software Composition Analysis (SCA) tools can help.”