Nomadooo

**Name of the Vulnerable Software and Affected Versions** Computer Vision Annotation Tool (CVAT) versions prior to 2.19.0 **Description** The issue allows an attacker to initiate API calls on behalf of a logged-in user if they can trick the user into visiting a maliciously-constructed URL. This gives the attacker temporary access to all data that the victim user has access to. **Recommendations** Upgrade to CVAT 2.19.0 or a later version to fix this issue.

**Name of the Vulnerable Software and Affected Versions** Computer Vision Annotation Tool (CVAT) versions prior to 2.19.1 **Description** The issue allows an attacker with a CVAT account to retrieve certain information about any project, task, job, or membership resource on the CVAT instance. This information is the same as the information returned on a GET request to the resource. Additionally, the attacker can alter the default source and target storage associated with any project or task. **Recommendations** Upgrade to CVAT 2.19.1 or any later version to fix the issue.