CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-6534: Directus 10.13.0 - Insecure object reference via PATH presets

4.3 CVSS

Description

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Classification

CVE ID: CVE-2024-6534

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-639 Authorization Bypass Through User-Controlled Key

Affected Products

Vendor: Directus

Product: Directus

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 8.53% (scored less or equal to compared to others)

EPSS Date: 2025-06-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-6534
https://fluidattacks.com/advisories/capaldi
https://directus.io/

Timeline

2025-01-23 23:15:21 UTC
Github Advisory Database (NPM)

[directus] Directus has a DOM-Based cross-site scripting (XSS) via layout_options
2025-05-19 19:40:13 UTC
CVE

Directus 10.13.0 - Insecure object reference via PATH presets