Cross-site Scripting (XSS) - Stored in directus/directus

Valid
Reported on May 14th 2021

BUG

Stored xss

IMPACT

lower level user can become admin by executing abitary javascript using xss attack

ACCOUNT

  1. admin--> firefox browser normal mode--->victim
  2. user B --> Firefox browser private mode--->attacker

STEP TO REPRODUCE

  1. From admin account invite user B with lower permission
  2. Now from admin account create a collection .
  3. Now goto user B account(Firefox private mode) and open above collection . Now add a comment with bellow xss payload and see xss is executed . payload--> xss"'><img src=x onerror=alert(2)>
  4. Now from admin account open above collection and see xsss is executed under admin account

VIDEO POC

https://drive.google.com/file/d/1PRpugTIJug90M_IlBA4DaimCbH7fTm5X/view?usp=sharing