Lucene search

[email protected]NVD:CVE-2024-5062

HistoryJun 30, 2024 - 4:15 p.m.

CVE-2024-5062

2024-06-3016:15:03

CWE-79

[email protected]

web.nvd.nist.gov

vulnerability

zenml-io/zenml

xss

survey redirect

input neutralization

web page generation

attacker

javascript code

browser session

account takeover

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper validation of the ‘redirect’ parameter. Consequently, an attacker can execute arbitrary JavaScript code in the context of the user’s browser session. This vulnerability could be exploited to steal cookies, potentially leading to account takeover.

References

github.com/zenml-io/zenml/commit/21edd863c0ba53c1110b6f018a07c2d6853cf6d4

huntr.com/bounties/ceddd3c1-a9da-4d6c-85c4-41d4d1e1102f

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for NVD:CVE-2024-5062

osv1 github1 cvelist1 cve1