Highrijkvanzanten

**Name of the Vulnerable Software and Affected Versions** Directus versions prior to 9.7.0 **Description** The issue allows unauthorized JavaScript to be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file, which loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, allowing the file to run any arbitrary JS. **Recommendations** For versions prior to 9.7.0, update to version 9.7.0 to resolve the issue. As a temporary workaround, consider disabling the live embed in the what-you-see-is-what-you-get by adding `{ "media live embeds": false }` to the Options Overrides option of the Rich Text HTML interface.