CVE-2024-6533Cross-site Scripting in Directus

CWE-79Cross-site ScriptingCWE-639Authorization Bypass Through User-Controlled KeyCWE-843Type Confusion14 documents4 sources
Severity
5.4MEDIUMNVD
NVD4.3
EPSS
0.1%
top 68.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
DirectusMonospace DirectusMsrc Microsoft Edge
Timeline
PublishedAug 15
Latest updateAug 27

Description

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

npmdirectus/directus< 10.13.2+1
CVEListV5directus/directus10.13.0
NVDmonospace/directus10.13.0

🔴Vulnerability Details

4
GHSA
Directus has an insecure object reference via PATH presets2024-08-27
OSV
Directus has an insecure object reference via PATH presets2024-08-27
GHSA
Duplicate Advisory: Improper access control in Directus2024-08-15
OSV
Duplicate Advisory: Improper access control in Directus2024-08-15

📋Vendor Advisories

8
Microsoft
Chromium: CVE-2024-7536 Use after free in WebAudio2024-08-13
Microsoft
Chromium: CVE-2024-7532 Out of bounds memory access in ANGLE2024-08-13
Microsoft
Chromium: CVE-2024-7550 Type Confusion in V82024-08-13
Microsoft
Chromium: CVE-2024-7534 Heap buffer overflow in Layout2024-08-13
Microsoft
Chromium: CVE-2024-7535 Inappropriate implementation in V82024-08-13