CVE-2024-2383

2024-06-0619:15:54

CWE-1021

@huntr_ai

web.nvd.nist.gov

cve-2024-2383

clickjacking

zenml

version 0.55.5

x-frame-options

content-security-policy

unauthorized actions

interface control

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

4.4

Confidence

High

EPSS

Percentile

9.0%

JSON

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application’s failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker’s control. The issue was addressed in version 0.56.3.

Affected configurations

Vulners

Vulnrichment

Node

zenml-iozenml-io\/zenmlMatch0.56.3

VendorProductVersionCPE
zenml-iozenml-io\/zenml0.56.3cpe:2.3:a:zenml-io:zenml-io\/zenml:0.56.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zenml-io	zenml-io\/zenml	0.56.3	cpe:2.3:a:zenml-io:zenml-io\/zenml:0.56.3:::::::*

CNA Affected

[
  {
    "vendor": "zenml-io",
    "product": "zenml-io/zenml",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "0.56.3",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]