CVE-2024-6533 – CVE-2024-6533 is a stored cross-site scripting ... (How to Fix)

Q: What is the severity of CVE-2024-6533?

CVE-2024-6533 has a CVSS score of 5.4 (MEDIUM). CVE-2024-6533 is a stored cross-site scripting (XSS) vulnerability in Directus v10.13.0 that allows authenticated attackers to inject malicious JavaScript into the application. This affects all users of the vulnerable version who have access to the affected functionality. When combined with CVE-2024-6534, this could lead to account takeover.

📋 TL;DR

CVE-2024-6533 is a stored cross-site scripting (XSS) vulnerability in Directus v10.13.0 that allows authenticated attackers to inject malicious JavaScript into the application. This affects all users of the vulnerable version who have access to the affected functionality. When combined with CVE-2024-6534, this could lead to account takeover.

💻 Affected Systems

Products:

Directus

Versions: v10.13.0

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit. All deployments using the vulnerable version are affected.

📦 What is this software?

Directus by Monospace

View all CVEs affecting Directus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Account takeover leading to complete system compromise, data theft, and further lateral movement within the environment.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed by attackers using victim sessions.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting individual user sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access. The vulnerability is well-documented in public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v10.13.1 or later

Vendor Advisory: https://directus.io/

Restart Required: Yes

Instructions:

1. Backup your Directus instance and database. 2. Update Directus to version 10.13.1 or later using your package manager. 3. Restart the Directus service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user-controlled parameters before storage.

Content Security Policy

all

Implement strict Content Security Policy headers to limit script execution.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Restrict access to the Directus interface to trusted users only
Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check if Directus version is exactly 10.13.0. Review application logs for suspicious parameter injection attempts.

Check Version:

Check package.json or run: npm list directus

Verify Fix Applied:

Confirm Directus version is 10.13.1 or later. Test the previously vulnerable functionality with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual parameter values containing script tags or JavaScript code
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP requests with suspicious parameters containing script elements
Unexpected outbound connections from the Directus server

SIEM Query:

source="directus" AND (param="*<script>*" OR param="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-6533

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 15, 2024

Last Updated: May 19, 2025

🔗 References

https://directus.io/ Product
https://fluidattacks.com/advisories/bocelli Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6533, you might also want to check these: