← Back to CVEs

CVE-2024-2383

MEDIUM

6.1

Description

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.

CVE Details

CVSS v3.1 Score6.1

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionREQUIRED

Published6/6/2024

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

zenml:zenml

Weaknesses (CWE)

CWE-1021

References

https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9(security@huntr.dev)

https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963(security@huntr.dev)

https://github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9(af854a3a-2127-422b-91ae-364da2661108)

https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.