Home > Vulnerability Database > CVE-2024-6534

Mend.io Vulnerability Database

CVE-2024-6534

Good to know:

Date: August 14, 2024

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Language: JS

Severity Score

4.1

Related Resources (7)

Url: https://directus.io/

Url: https://github.com/directus/directus

Url: https://directus.io

Url: https://fluidattacks.com/advisories/capaldi

Url: https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-6534

Url: https://www.mend.io/vulnerability-database/CVE-2024-6534

Severity Score

4.1

Weakness Type (CWE)

Authorization Bypass Through User-Controlled Key

CWE-639

Top Fix

Upgrade Version

Upgrade to version directus - 11.1.0;directus - 10.13.4

Learn More

CVSS v3.1

Base Score:	4.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-6534

Good to know:

Date: August 14, 2024

Language: JS

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?