Moderate severityNVD Advisory· Published Aug 15, 2024· Updated May 19, 2025
Directus 10.13.0 - Insecure object reference via PATH presets
CVE-2024-6534
Description
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
directusnpm | < 10.13.2 | 10.13.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- fluidattacks.com/advisories/capaldighsathird-party-advisoryWEB
- github.com/advisories/GHSA-3fff-gqw3-vj86ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6534ghsaADVISORY
- directus.ioghsaWEB
- directus.iomitreproduct
- github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86ghsaWEB
News mentions
0No linked articles in our index yet.