CVE-2025-64747
BaseFortify
Publication date: 2025-11-13
Last updated on: 2025-11-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monospace | directus | to 11.13.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in Directus versions prior to 11.13.0. It allows users who have 'upload files' and 'edit item' permissions to inject malicious JavaScript code through the Block Editor interface. Attackers can bypass Content Security Policy (CSP) restrictions by using a combination of file uploads and iframe srcdoc attributes, leading to persistent XSS execution.
How can this vulnerability impact me? :
The vulnerability can lead to persistent cross-site scripting attacks, which may allow attackers to execute malicious scripts in the context of the affected application. This can result in unauthorized actions such as data theft, session hijacking, or manipulation of the application content, potentially compromising the integrity, confidentiality, and availability of the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Directus to version 11.13.0 or later, as this version fixes the stored cross-site scripting (XSS) vulnerability. Additionally, restrict user permissions to limit 'upload files' and 'edit item' capabilities only to trusted users to reduce the risk of exploitation.