Directus
CVE-2024-6533
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from Vendor (fluidattacks) · only source for this CVE.
CVSS VectorVendor: fluidattacks
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.
AnalysisAI
Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover. Affected products include: Monospace Directus.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Directus 6.4.9 has a hardcoded admin password for the Admin account because of an INSERT statement in api/schema.sql. Ra
Directus 8 before 8.8.2 allows remote authenticated users to execute arbitrary code because file-upload permissions incl
In Directus 8.x through 8.8.1, an attacker can switch to the administrator role (via the PATCH method) without any contr
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.6), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 8.2), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.7), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
Directus is a real-time API and App dashboard for managing SQL database content. Rated high severity (CVSS 7.5), this vu
In Directus 8.x through 8.8.1, an attacker can see all users in the CMS using the API /users/{id}. Rated high severity (
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Directus is a real-time API and App dashboard for managing SQL database content. Rated medium severity (CVSS 6.5), this
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today