CVE-2024-6534: Improper access control in Directus

August 15, 2024

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the ‘POST /presets’ request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

References

directus.io/
fluidattacks.com/advisories/capaldi
github.com/advisories/GHSA-q83v-hq3j-4pq3
github.com/directus/directus
nvd.nist.gov/vuln/detail/CVE-2024-6534

Detect and mitigate CVE-2024-6534 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →