CVE-2024-47064

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Sep 30, 2024 / Updated: 50d ago

010
CVSS 6.3EPSS 0.04%Medium
CVE info copied to clipboard

Summary

Computer Vision Annotation Tool (CVAT) is vulnerable to a security issue where an attacker can trick a logged-in user into visiting a maliciously-constructed URL. This allows the attacker to initiate any API calls on behalf of the victim user.

Impact

This vulnerability gives the attacker temporary access to all data that the victim user has access to. It could potentially lead to unauthorized data access, manipulation of annotations, or other malicious actions within the scope of the victim's permissions.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users should upgrade to CVAT version 2.19.0 or a later version to fix this issue.

Mitigation

1. Upgrade CVAT to version 2.19.0 or later immediately. 2. Educate users about the risks of clicking on unknown or suspicious links, especially when logged into CVAT. 3. Implement strong authentication mechanisms and session management. 4. Consider implementing Content Security Policy (CSP) headers to mitigate cross-site scripting attacks. 5. Regularly review and audit user access permissions to minimize potential data exposure.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-47064

Sep 30, 2024 at 3:15 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Sep 30, 2024 at 3:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-47064. See article

Sep 30, 2024 at 3:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 30, 2024 at 3:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Oct 1, 2024 at 10:17 AM
CVSS

A CVSS base score of 6.1 has been assigned.

Oct 30, 2024 at 6:25 PM / nvd
Static CVE Timeline Graph

Affected Systems

Cvat/computer_vision_annotation_tool
+null more

Patches

github.com
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

Multiple vulnerabilities in Computer Vision Annotation Tool (CVAT)
NA - CVE-2024-47064 - Computer Vision Annotation Tool (CVAT) is an...
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed...
CVE-2024-47064
If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. Upgrade to CVAT 2.19.0 or a later version to fix this issue.
CVE-2024-47064
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this...
CVE-2024-47064
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this...
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI