Stefan Nica

6 exploits Active since Apr 2024
CVE-2024-2035 WRITEUP MEDIUM WRITEUP
zenml < 0.56.2 - Authenticated Missing Authorization via API PUT /api/v1/users/id Endpoint
An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application.
CVSS 6.5
CVE-2024-2083 WRITEUP CRITICAL WRITEUP
zenml < 0.55.5 - Path Traversal via /api/v1/steps Logs URI Parameter
A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The vulnerability arises due to the lack of validation for directory traversal patterns, allowing attackers to access files outside of the restricted directory.
CVSS 9.9
CVE-2024-2213 WRITEUP LOW WRITEUP
zenml-io/zenml <0.55.4 - Auth Bypass
An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3.
CVSS 3.3
CVE-2024-2383 WRITEUP MEDIUM WRITEUP
zenml <= 0.55.5 - Clickjacking via Missing X-Frame-Options Header
A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to embed the application UI within an iframe on a malicious page, potentially leading to unauthorized actions by tricking users into interacting with the interface under the attacker's control. The issue was addressed in version 0.56.3.
CVSS 6.1
CVE-2024-4311 WRITEUP MEDIUM WRITEUP
zenml < 0.57.0rc2 - Account Takeover via Unlimited Password Change Attempts
zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. This vulnerability is due to the absence of rate-limiting on the '/api/v1/current-user' endpoint, which does not restrict the number of attempts an attacker can make to guess the current password. Successful exploitation results in the attacker being able to change the password and take control of the account.
CVSS 5.4
CVE-2025-8406 WRITEUP HIGH WRITEUP
ZenML 0.83.1 - Path Traversal and Arbitrary File Write via PathMaterializer
ZenML version 0.83.1 is affected by a path traversal vulnerability in the `PathMaterializer` class. The `load` function uses `is_path_within_directory` to validate files during `data.tar.gz` extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file writes, potentially resulting in arbitrary command execution if critical files are overwritten.
CVSS 7.8