CVE-2024-2383

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9
https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963

Configurations

No configuration.

History

No history.

Information

Published : 2024-06-06 19:15

Updated : 2024-06-07 14:56

NVD link : CVE-2024-2383

Mitre link : CVE-2024-2383

CVE.ORG link : CVE-2024-2383

JSON object : View

Products Affected

No product.

CWE

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

4.3 /10