Lucene search

GoogleOSV:GHSA-MQ73-G4QR-FGCQ

HistoryJun 06, 2024 - 9:30 p.m.

Clickjacking in zenml

2024-06-0621:30:36

Google

osv.dev

clickjacking

zenml

vulnerability

x-frame-options

content-security-policy

http headers

unauthorized actions

attack

interface

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

9.0%

JSON

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application’s failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker’s control. The issue was addressed in version 0.56.3.

References

github.com/zenml-io/zenml

github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9

huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963

nvd.nist.gov/vuln/detail/CVE-2024-2383

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for OSV:GHSA-MQ73-G4QR-FGCQ