Clickjacking Vulnerability in zenml-io/zenml
CVE-2024-2383

6.1MEDIUM

Key Information:

Vendor: Zenml-io
Status: Zenml-io/zenml
Vendor: CVE Published:; 6 June 2024

What is CVE-2024-2383?

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.

Affected Version(s)

zenml-io/zenml < 0.56.3

References

https://huntr.com/bounties/22d26f5a-c0ae-4344-aa7d-08ff5a...

https://github.com/zenml-io/zenml/commit/f863fde1269bc355...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Mar 11, 2024

CVE-2024-2383 Data

JSON

Zenml-io

What is CVE-2024-2383?

Affected Version(s)

References

CVSS V3.1

Timeline