GHSA-q83v-hq3j-4pq3 – directus

Package

Manager: npm
Name: directus
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Duplicate Advisory: Improper access control in Directus ## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3fff-gqw3-vj86. This link is maintained to preserve external references. ## Original Description Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the 'POST /presets' request but not in the PATCH request. When chained with CVE-2024-6533, it could result in account takeover.

Metadata

Created: 2024-08-15T06:32:22Z
Modified: 2025-03-20T18:34:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-q83v-hq3j-4pq3/GHSA-q83v-hq3j-4pq3.json
CWE IDs: ["CWE-639"]
Alternative ID: N/A
Finding: N/A
Auto approve: 0