CVE-2022-24814

Name of the Vulnerable Software and Affected Versions Directus versions prior to 9.7.0

Description The issue allows unauthorized JavaScript to be executed by inserting an iframe into the rich text html interface that links to a file uploaded HTML file, which loads another uploaded JS file in its script tag. This satisfies the regular content security policy header, allowing the file to run any arbitrary JS.

Recommendations For versions prior to 9.7.0, update to version 9.7.0 to resolve the issue. As a temporary workaround, consider disabling the live embed in the what-you-see-is-what-you-get by adding { "media live embeds": false } to the Options Overrides option of the Rich Text HTML interface.