Lucene search

Veracode Vulnerability DatabaseVERACODE:47449

HistoryJun 10, 2024 - 1:58 p.m.

Improper Restriction Of Rendered UI Layers Or Frames (Clickjacking)

2024-06-1013:58:27

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

zenml

vulnerability

clickjacking

x-frame-options

content-security-policy

http headers

iframe

unauthorized actions

tricking users

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.6

Confidence

High

EPSS

Percentile

9.0%

JSON

zenml is vulnerable to Improper Restriction of Rendered UI Layers or Frames (Clickjacking). The vulnerability is due to the application’s failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers, allowing an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker’s control.

References

github.com/advisories/GHSA-mq73-g4qr-fgcq

github.com/zenml-io/zenml/commit/f863fde1269bc355951f8cfc826c0244d88ad5e9

huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5ada3963

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AI Score

6.6

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for VERACODE:47449