Опубликовано: 15 авг. 2024
Источник: github
Github: Прошло ревью
CVSS4: 5.3
CVSS3: 4.1
Описание
Duplicate Advisory: Improper access control in Directus
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-3fff-gqw3-vj86. This link is maintained to preserve external references.
Original Description
Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.
Пакеты
Наименование
directus
npm
Затронутые версииВерсия исправления
<= 10.13.0
Отсутствует
5.3 Medium
CVSS4
4.1 Medium
CVSS3
Дефекты
CWE-639
5.3 Medium
CVSS4
4.1 Medium
CVSS3
Дефекты
CWE-639