CVE-2024-2383

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9
https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963

Configurations

No configuration.

History

07 Jun 2024, 14:56

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de clickjacking en las versiones de zenml-io/zenml hasta la 0.55.5 incluida debido a que la aplicación no configura los encabezados HTTP X-Frame-Options o Content-Security-Policy adecuados. Esta vulnerabilidad permite a un atacante incrustar la interfaz de usuario de la aplicación dentro de un iframe en una página maliciosa, lo que podría provocar acciones no autorizadas al engañar a los usuarios para que interactúen con la interfaz bajo el control del atacante. El problema se solucionó en la versión 0.56.3.

06 Jun 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-06 19:15

Updated : 2024-06-07 14:56

NVD link : CVE-2024-2383

Mitre link : CVE-2024-2383

CVE.ORG link : CVE-2024-2383

JSON object : View

Products Affected

No product.

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

4.3 /10