Skip to content

Reflected Cross-Site Scripting (XSS) in zenml

Moderate severity GitHub Reviewed Published Jun 30, 2024 to the GitHub Advisory Database • Updated Jul 1, 2024

Package

pip zenml (pip)

Affected versions

= 0.57.1

Patched versions

0.58.0

Description

A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper validation of the 'redirect' parameter. Consequently, an attacker can execute arbitrary JavaScript code in the context of the user's browser session. This vulnerability could be exploited to steal cookies, potentially leading to account takeover.

References

Published by the National Vulnerability Database Jun 30, 2024
Published to the GitHub Advisory Database Jun 30, 2024
Reviewed Jul 1, 2024
Last updated Jul 1, 2024

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2024-5062

GHSA ID

GHSA-3434-hc3m-8mmm

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.