Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue.
History

Wed, 30 Oct 2024 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Cvat
Cvat computer Vision Annotation Tool
CPEs cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*
Vendors & Products Cvat
Cvat computer Vision Annotation Tool
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Mon, 30 Sep 2024 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 30 Sep 2024 15:15:00 +0000

Type Values Removed Values Added
Description Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue.
Title Computer Vision Annotation Tool (CVAT) contains a reflected XSS via request endpoints
Weaknesses CWE-79
CWE-81
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-09-30T14:57:12.805Z

Updated: 2024-09-30T16:26:35.340Z

Reserved: 2024-09-17T17:42:37.028Z

Link: CVE-2024-47064

cve-icon Vulnrichment

Updated: 2024-09-30T16:26:28.786Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-30T15:15:06.413

Modified: 2024-10-30T18:23:17.020

Link: CVE-2024-47064

cve-icon Redhat

No data.