CVE-2022-24814 is a cross-site scripting (XSS) vulnerability identified in Directus, an open-source real-time API and application dashboard used for managing SQL database content. The vulnerability affects Directus versions prior to 9.7.0. It arises from improper neutralization of input during web page generation, specifically within the rich text HTML interface that supports live embedding of media content. An attacker can exploit this flaw by inserting an iframe into the rich text editor that references an uploaded HTML file. This HTML file, in turn, loads a JavaScript file via a script tag. Due to the way Directus implements its content security policy (CSP), this embedded script is allowed to execute arbitrary JavaScript code despite the CSP headers, effectively bypassing intended security controls. This enables unauthorized JavaScript execution within the context of the Directus application, potentially allowing an attacker to perform actions such as session hijacking, data theft, or manipulation of the user interface. The vulnerability was addressed in Directus version 9.7.0 by modifying how live embeds are handled to prevent such unauthorized script execution. As an interim mitigation, administrators can disable the live embed feature in the rich text HTML interface by setting the "media_live_embeds" option to false in the _Options Overrides_ configuration. There are no known exploits in the wild reported for this vulnerability, but the nature of XSS vulnerabilities makes them a significant risk if left unpatched, especially in environments where untrusted users can upload or edit content.

For European organizations using Directus versions earlier than 9.7.0, this vulnerability poses a moderate risk to the confidentiality and integrity of their data and user sessions. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of the Directus dashboard, potentially leading to unauthorized access to sensitive database content, manipulation of displayed data, or theft of authentication tokens. This could disrupt business operations, compromise data integrity, and lead to reputational damage. Given that Directus is often used to manage critical SQL database content in real-time, the impact on availability is less direct but could occur if attackers leverage the XSS to perform further attacks such as privilege escalation or injecting malicious payloads. The vulnerability is particularly concerning in multi-tenant or collaborative environments where multiple users have access to the Directus interface, as it could facilitate lateral movement or broader compromise. European organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face additional compliance risks if this vulnerability is exploited to leak personal or sensitive data.

To mitigate this vulnerability, European organizations should prioritize upgrading Directus installations to version 9.7.0 or later, where the issue is fully resolved. If immediate upgrading is not feasible, administrators should disable the live embed feature in the rich text HTML interface by adding the configuration { "media_live_embeds": false } to the _Options Overrides_ setting. This prevents the embedding of potentially malicious iframes and scripts. Additionally, organizations should audit user permissions to restrict who can upload or edit rich text content, limiting this capability to trusted users only. Implementing strict content validation and sanitization on uploaded files can further reduce risk. Monitoring application logs for unusual iframe or script upload activity can help detect attempted exploitation. Finally, organizations should review and tighten their Content Security Policy headers beyond the default, ensuring that only trusted sources are allowed to execute scripts and embed content. Regular security training for users managing Directus content can also help prevent inadvertent introduction of malicious code.