CVE-2024-6534

Опубликовано: 15 авг. 2024

Источник: nvd

CVSS3: 4.3

EPSS Низкий

Описание

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Ссылки

https://directus.io/
Product
https://fluidattacks.com/advisories/capaldi
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:*

EPSS

Процентиль: 21%

0.00069

Низкий

4.3 Medium

CVSS3

Дефекты

CWE-639

Связанные уязвимости

GHSA-3fff-gqw3-vj86

CVSS3: 4.1

github

больше 1 года назад

Directus has an insecure object reference via PATH presets

BDU:2025-02550