CVE-2024-6534 - Directus Preset Assignment Privilege Escalation Stored Cross-Site Request Forgery

CVE ID : CVE-2024-6534 Published : Aug. 15, 2024, 4:15 a.m. | 1 hour, 29 minutes ago Description : Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover. Severity: 4.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Aug 15, 2024 - 07:45
 0  2
CVE-2024-6534 - Directus Preset Assignment Privilege Escalation Stored Cross-Site Request Forgery
CVE ID : CVE-2024-6534
Published : Aug. 15, 2024, 4:15 a.m. | 1 hour, 29 minutes ago
Description : Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.
Severity: 4.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...