CVE-2024-9526

MEDIUM

Kubeflow Pipelines < 2023-12-13 - Stored Cross-Site Scripting in Pipeline Description Field

Title source: llm
STIX 2.1

Description

There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a stored XSS. We recommend upgrading past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d

References (1)

Core 1
Core References

Scores

CVSS v3 5.4
EPSS 0.0021
EPSS Percentile 10.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
kubeflow/pipelines < 2023-12-13
Published Nov 18, 2024
Tracked Since Feb 18, 2026