CVE-2024-6534

Source
https://cve.org/CVERecord?id=CVE-2024-6534
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6534.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-6534
Aliases
Published
2024-08-15T03:10:46.778Z
Modified
2026-07-08T07:57:53.194120336Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Directus 10.13.0 - Insecure object reference via PATH presets
Details

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "10.13.0"
                },
                {
                    "last_affected": "10.13.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/6xxx/CVE-2024-6534.json",
    "cna_assigner": "Fluid Attacks",
    "cwe_ids": [
        "CWE-639"
    ]
}
References

Affected packages

Git / github.com/directus/directus

Affected ranges

Type
GIT
Repo
https://github.com/directus/directus
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "10.13.0"
        },
        {
            "last_affected": "10.13.0"
        }
    ]
}

Affected versions

10.*
10.13.0
v10.*
v10.13.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6534.json"