Moderate severityNVD Advisory· Published Aug 15, 2024· Updated May 19, 2025
Directus 10.13.0 - Insecure object reference via PATH presets
CVE-2024-6534
Description
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 10.13.2 | 10.13.2 |
Affected products
2Patches
Vulnerability mechanics
References
6- fluidattacks.com/advisories/capaldighsathird-party-advisoryWEB
- github.com/advisories/GHSA-3fff-gqw3-vj86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6534ghsaADVISORY
- directus.ioghsaWEB
- directus.iomitreproduct
- github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86ghsaWEB
News mentions
0No linked articles in our index yet.