Описание
Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.
Ссылки
- Product
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:*
EPSS
Процентиль: 32%
0.00122
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79
EPSS
Процентиль: 32%
0.00122
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-79