Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-4956

Опубликовано: 15 сент. 2023
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.

Отчет

To exploit this vulnerability an attacker needs to craft the payload and trick an administrator user into clicking on buttons on the config-editor panel. This exploit requirement makes this vulnerability of Low impact.

Меры по смягчению последствий

It is recommended to configure the webserver to perform the inclusion of the X-Frame-Options: Deny header.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Quay 3quayAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-1021
https://bugzilla.redhat.com/show_bug.cgi?id=2238886quay: Clickjacking on config-editor page Severity

EPSS

Процентиль: 39%
0.00172
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-4956

CVSS3: 6.5
nvd
около 2 лет назад

A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.

github логотип

GHSA-xcx8-f2f5-h74f

CVSS3: 6.5
github
около 2 лет назад

A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.

EPSS

Процентиль: 39%
0.00172
Низкий

6.5 Medium

CVSS3