Modify Presets for Account Takeover
CVE-2024-6534

4.3MEDIUM

Key Information:

Vendor: Directus
Status: Directus
Vendor: CVE Published:; 15 August 2024

What is CVE-2024-6534?

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Affected Version(s)

Directus 10.13.0

References

https://fluidattacks.com/advisories/capaldi

third-party-advisory

https://directus.io/

product

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2024
Vulnerability Reserved
Jul 5, 2024