CVE-2024-6534

Name of the Vulnerable Software and Affected Versions Directus version 10.13.0

Description The issue allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with another issue, it could result in account takeover.

Recommendations For Directus version 10.13.0, as a temporary workaround, consider restricting access to the 'PATCH /presets' request to prevent preset manipulation until a patch is available. Additionally, monitor user account activity for signs of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.