Upstream information

CVE-2024-9526 at MITRE

Description

There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a stored XSS. We recommend upgrading past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v4 Scores
  CNA (Google Inc)
Base Score 7.1
Vector CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:L/U:Green
Attack Vector Adjacent Network
Attack Complexity Low
Attack Requirements Present
Privileges Required High
User Interaction Passive
Vulnerable System Confidentiality Impact High
Vulnerable System Integrity Impact High
Vulnerable System Availability Impact Low
Subsequent System Confidentiality Impact High
Subsequent System Integrity Impact High
Subsequent System Availability Impact Low
CVSSv4 Version 4.0
No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • govulncheck-vulndb >= 0.0.20241119T173509-1.1
Patchnames:
openSUSE-Tumbleweed-2024-14513


SUSE Timeline for this CVE

CVE page created: Mon Nov 18 16:00:36 2024
CVE page last modified: Fri Nov 29 14:54:44 2024