CVE-2024-2383 MEDIUM

CVE-2024-2383: Clickjacking Vulnerability in zenml-io/zenml

Vendor Zenml-Io
Product zenml-io/zenml
Weakness CWE-1021
Published June 6, 2024
Last update August 1, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 1, 2024 Record updated