CVE-2022-22116

Name of the Vulnerable Software and Affected Versions Directus versions 9.0.0-alpha.4 through 9.4.1

Description The issue is related to a stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in the media upload functionality. A low-privileged attacker can inject arbitrary JavaScript code, which will be executed in a victim's browser when they open the image URL.

Recommendations For versions 9.0.0-alpha.4 through 9.4.1, consider disabling the media upload functionality, specifically the SVG file upload feature, until a patch is available. Restrict access to the media upload module to minimize the risk of exploitation. Avoid using the media upload functionality in the affected versions until the issue is resolved.