CVE-2024-6534

EPSS 0.06%
Veröffentlicht 15.08.2024 04:15:07
Zuletzt bearbeitet 19.05.2025 19:15:47
Quelle help@fluidattacks.com
CVE-Watchlists
Login
Unerledigt
Login

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Monospace ≫ Directus Version10.13.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.178

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
help@fluidattacks.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://directus.io/

Product

https://fluidattacks.com/advisories/capaldi

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-6534

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-6534

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-6534

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-6534