CVE-2024-6534
published 2024-08-15CVE-2024-6534: Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.33%
24.4th percentile
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | — | — |
| directus | directus | >= 0 < 10.13.2 | 10.13.2 |
| directus | directus | >= 0 < 11.3.3 | 11.3.3 |
| directus | directus | 0 – 10.13.0 | — |
| monospace | directus | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
ghsa5.4MEDIUM
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
osv·2025-01-23·CVSS 4.3
CVE-2024-6534 [MEDIUM] Directus has a DOM-Based cross-site scripting (XSS) via layout_options
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
### Impact
Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover.
### PoC
To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account.
1. Upload the following JavaScript file.
Using the upload functionality at `POST /files`. This PoC will show an alert message.
```js
export TARGET_HOST="http://localh
GHSA
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
ghsa·2025-01-23·CVSS 4.3
CVE-2024-6534 [MEDIUM] Directus has a DOM-Based cross-site scripting (XSS) via layout_options
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
### Impact
Directus allows an authenticated attacker to save cross site scripting code to the database. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with [CVE-2024-6534](https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86), it could result in account takeover.
### PoC
To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account.
1. Upload the following JavaScript file.
Using the upload functionality at `POST /files`. This PoC will show an alert message.
```js
export TARGET_HOST="http://localh
GHSA
Directus has an insecure object reference via PATH presets
ghsa·2024-08-27·CVSS 5.4
CVE-2024-6534 [MEDIUM] CWE-639 Directus has an insecure object reference via PATH presets
Directus has an insecure object reference via PATH presets
### Impact
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. When chained with [CVE-2024-6533](https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw), it could result in account takeover.
This vulnerability occurs because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request.
### PoC
To exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.
1. Create a preset for a collec
OSV
Directus has an insecure object reference via PATH presets
osv·2024-08-27·CVSS 5.4
CVE-2024-6534 [MEDIUM] Directus has an insecure object reference via PATH presets
Directus has an insecure object reference via PATH presets
### Impact
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. When chained with [CVE-2024-6533](https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw), it could result in account takeover.
This vulnerability occurs because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request.
### PoC
To exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.
1. Create a preset for a collec
OSV
Duplicate Advisory: Code injection in Directus
osv·2024-08-15·CVSS 4.3
[MEDIUM] Duplicate Advisory: Code injection in Directus
Duplicate Advisory: Code injection in Directus
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9qrm-48qf-r2rw. This link is maintained to preserve external references.
## Original Description
Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.
GHSA
Duplicate Advisory: Code injection in Directus
ghsa·2024-08-15·CVSS 4.3
[MEDIUM] CWE-79 Duplicate Advisory: Code injection in Directus
Duplicate Advisory: Code injection in Directus
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9qrm-48qf-r2rw. This link is maintained to preserve external references.
## Original Description
Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-08-15
Published