GHSA-3fff-gqw3-vj86: Directus has an insecure object reference via PATH presets

August 27, 2024

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the POST /presets request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

This vulnerability occurs because the application only validates the user parameter in the POST /presets request but not in the PATCH request.

References

github.com/advisories/GHSA-3fff-gqw3-vj86
github.com/directus/directus
github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86

Detect and mitigate GHSA-3fff-gqw3-vj86 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →