Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.
References
Link | Resource |
---|---|
https://directus.io/ | Product |
https://fluidattacks.com/advisories/capaldi | Third Party Advisory |
Configurations
History
19 Aug 2024, 18:17
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
CPE | cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:* | |
References | () https://directus.io/ - Product | |
References | () https://fluidattacks.com/advisories/capaldi - Third Party Advisory | |
First Time |
Monospace
Monospace directus |
|
Summary |
|
15 Aug 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-15 04:15
Updated : 2024-08-19 18:17
NVD link : CVE-2024-6534
Mitre link : CVE-2024-6534
CVE.ORG link : CVE-2024-6534
JSON object : View
Products Affected
monospace
- directus
CWE
CWE-639
Authorization Bypass Through User-Controlled Key