CVE-2023-4958 MEDIUM

CVE-2023-4958: Stackrox: missing http security headers allows for clickjacking in web ui

Vendor Red Hat
Product Red Hat Advanced Cluster Security 3
Weakness CWE-1021
Published December 12, 2023
Last update August 2, 2024

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

What the vulnerability does

01Description

In Red Hat Advanced Cluster Security (RHACS), it was found that some security related HTTP headers were missing, allowing an attacker to exploit this with a clickjacking attack. An attacker could exploit this by convincing a valid RHACS user to visit an attacker-controlled web page, that deceptively points to valid RHACS endpoints, hijacking the user's account permissions to perform other actions.

Key dates

02Disclosure timeline

December 12, 2023 CVE published
August 2, 2024 Record updated