Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.
References
Link | Resource |
---|---|
https://directus.io/ | Product |
https://fluidattacks.com/advisories/bocelli | Exploit Third Party Advisory |
Configurations
History
19 Aug 2024, 18:13
Type | Values Removed | Values Added |
---|---|---|
References | () https://directus.io/ - Product | |
References | () https://fluidattacks.com/advisories/bocelli - Exploit, Third Party Advisory | |
First Time |
Monospace
Monospace directus |
|
Summary |
|
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CPE | cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:* |
15 Aug 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-15 03:15
Updated : 2024-08-19 18:13
NVD link : CVE-2024-6533
Mitre link : CVE-2024-6533
CVE.ORG link : CVE-2024-6533
JSON object : View
Products Affected
monospace
- directus
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')