PT-2024-39677 · Unknown · Kubeflow Pipeline View

Philipp Schneider

Published

2024-11-18

Updated

2025-07-23

CVE-2024-9526

CVSS v4.0

7.1

High

Vector

AV:A/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/S:P/AU:Y/R:U/V:D/RE:L/U:Green

Name of the Vulnerable Software and Affected Versions Kubeflow Pipeline View (affected versions not specified)

Description The issue concerns a stored XSS vulnerability in the Kubeflow Pipeline View web UI. This vulnerability allows an attacker to inject malicious HTML code into the description field when creating a new pipeline, as the field does not properly filter HTML tags. This can lead to a stored XSS attack.

Recommendations Upgrade past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d to resolve the issue. As a temporary workaround, consider restricting the use of HTML tags in the description field to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2024-9526

GO-2024-3278

OPENSUSE-SU-2024:14513-1

Affected Products

Kubeflow Pipeline View

PT-2024-39677 · Unknown · Kubeflow Pipeline View

CVE-2024-9526

Weakness Enumeration

Related Identifiers

Affected Products

References · 19