cbcvebase.

Zenml-Io Zenml vulnerabilities

12 known vulnerabilities affecting zenml-io/zenml-io_zenml.

Total CVEs
12
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3MEDIUM6LOW2

Vulnerabilities

Page 1 of 1
CVE-2024-2083P2CRITICALCVSS 9.9≥ unspecified, < 0.55.52024-04-16
CVE-2024-2083 [CRITICAL] CWE-29 CVE-2024-2083: A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for dir
nvd
CVE-2024-4680P3HIGHCVSS 8.8≥ unspecified, ≤ latest2024-06-08
CVE-2024-4680 [HIGH] CWE-613 CVE-2024-4680: A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials o A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was ob
nvd
CVE-2024-9340P3HIGHCVSS 7.5≥ unspecified, < 0.68.02025-03-20
CVE-2024-9340 [HIGH] CWE-835 CVE-2024-9340: A Denial of Service (DoS) vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated atta A Denial of Service (DoS) vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multipart request boundary processing mechanism leads to an infinite loop, result
nvd
CVE-2025-8406P3HIGHCVSS 7.8≥ unspecified, < 0.84.22025-10-05
CVE-2025-8406 [HIGH] CWE-22 CVE-2025-8406: ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary comman
nvd
CVE-2024-2035P3MEDIUMCVSS 6.5≥ unspecified, < 0.56.22024-06-06
CVE-2024-2035 [MEDIUM] CWE-862 CVE-2024-2035: An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects versio
nvd
CVE-2024-4311P4MEDIUMCVSS 5.4≥ unspecified, < 0.57.02024-11-14
CVE-2024-4311 [MEDIUM] CWE-770 CVE-2024-4311: zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' en
nvd
CVE-2024-2383P4MEDIUMCVSS 6.1≥ unspecified, < 0.56.32024-06-06
CVE-2024-2383 [MEDIUM] CWE-1021 CVE-2024-2383: A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tr
nvd
CVE-2024-5062P4MEDIUMCVSS 6.1≥ unspecified, < 0.58.02024-06-30
CVE-2024-5062 [MEDIUM] CWE-79 CVE-2024-5062: A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1 A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect parameter. This flaw allows an attacker to redirect users to a specified URL after completing a survey, without proper
nvd
CVE-2024-2260P4MEDIUMCVSS 4.2≥ unspecified, < 0.56.22024-04-16
CVE-2024-2260 [MEDIUM] CWE-384 CVE-2024-2260: A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim's JWT token.
nvd
CVE-2024-2171P4MEDIUMCVSS 4.8≥ unspecified, < 0.56.22024-06-06
CVE-2024-2171 [MEDIUM] CWE-79 CVE-2024-2171: A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, s A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other users, potentially compromising their accounts. The vulnerability affects version 0.55.3 and was fixed in version 0
nvd
CVE-2024-2213P4LOWCVSS 3.3≥ unspecified, < 0.56.32024-06-06
CVE-2024-2213 [LOW] CWE-620 CVE-2024-2213: An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authe An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change veri
nvd
CVE-2024-2032P4LOWCVSS 3.1≥ unspecified, < 0.55.52024-06-06
CVE-2024-2032 [LOW] CWE-366 CVE-2024-2032: A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which a A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5. The vulnerability arises due to insufficient handling of concurrent user creation requests, leading to data inconsis
nvd
Zenml-Io Zenml vulnerabilities | cvebase