CVE-2024-47063

EPSS 0.17%
Published 30.09.2024 15:15:06
Last modified 30.10.2024 18:24:21
Source security-advisories@github.com
Teams watchlist Login
Open Login

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If a malicious CVAT user with permissions to either create a task, or edit an existing task can trick another logged-in user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Cvat ≫ Computer Vision Annotation Tool Version >= 2.4.7 < 2.19.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.17%	0.388

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.2	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/cvat-ai/cvat/commit/75c3d573bc9468b718f53b442c2ef69ad1d5de12

Patch

https://github.com/cvat-ai/cvat/security/advisories/GHSA-2c85-39cc-2px9

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-47063

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47063

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47063

EUVD