Vulnerability Details : CVE-2022-22116
In Directus, versions 9.0.0-alpha.4 through 9.4.1 are vulnerable to stored Cross-Site Scripting (XSS) vulnerability via SVG file upload in media upload functionality. A low privileged attacker can inject arbitrary javascript code which will be executed in a victim’s browser when they open the image URL.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2022-22116
- cpe:2.3:a:rangerstudio:directus:*:*:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha10:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha11:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha12:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha13:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha14:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha15:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha16:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha17:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha18:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha19:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha20:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha21:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha22:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha23:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha24:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha25:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha26:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha27:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha31:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha32:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha33:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha34:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha35:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha36:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha37:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha38:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha39:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha40:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha41:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha42:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha6:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha7:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha8:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:alpha9:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta0:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta10:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta11:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta12:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta13:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta14:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta7:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta8:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:beta9:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc10:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc100:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc101:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc11:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc12:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc13:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc14:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc15:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc17:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc18:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc19:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc20:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc21:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc22:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc23:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc24:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc25:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc26:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc27:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc28:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc29:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc30:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc31:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc32:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc33:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc34:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc35:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc36:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc37:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc38:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc39:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc40:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc41:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc42:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc43:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc44:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc45:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc46:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc47:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc48:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc49:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc50:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc51:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc52:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc53:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc54:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc55:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc56:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc57:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc58:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc59:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc60:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc61:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc62:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc63:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc64:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc65:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc66:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc67:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc68:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc69:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc7:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc70:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc71:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc72:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc73:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc74:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc75:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc76:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc77:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc78:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc79:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc8:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc80:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc81:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc82:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc83:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc84:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc85:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc86:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc87:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc88:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc89:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc9:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc90:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc91:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc92:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc93:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc94:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc95:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc96:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc97:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc98:*:*:*:*:*:*
- cpe:2.3:a:rangerstudio:directus:9.0.0:rc99:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-22116
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 19 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-22116
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
Mend |
CWE ids for CVE-2022-22116
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: vulnerabilitylab@mend.io (Primary)
References for CVE-2022-22116
-
https://github.com/directus/directus/commit/ec86d5412d45136915d9b622b4a890dd26932b10
Add Content-Security-Policy header by default (#10776) · directus/directus@ec86d54 · GitHubPatch;Third Party Advisory
-
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-22116
CVE-2022-22116 | WhiteSource Vulnerability DatabaseExploit;Third Party Advisory
Jump to