GHSA-q83v-hq3j-4pq3: Duplicate Advisory: Improper access control in Directus

August 15, 2024 (updated March 20, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-3fff-gqw3-vj86. This link is maintained to preserve external references.

Original Description

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the ‘POST /presets’ request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

References

directus.io/
fluidattacks.com/advisories/capaldi
github.com/advisories/GHSA-q83v-hq3j-4pq3
github.com/directus/directus
nvd.nist.gov/vuln/detail/CVE-2024-6534

Detect and mitigate GHSA-q83v-hq3j-4pq3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →