CVE-2024-6534: Directus has an insecure object reference via PATH presets

August 27, 2024 (updated March 20, 2025)

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the POST /presets request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

This vulnerability occurs because the application only validates the user parameter in the POST /presets request but not in the PATCH request.

References

directus.io/
fluidattacks.com/advisories/capaldi
github.com/advisories/GHSA-3fff-gqw3-vj86
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86
nvd.nist.gov/vuln/detail/CVE-2024-6534

Code Behaviors & Features

Detect and mitigate CVE-2024-6534 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →