zenml

vulnerable: 0.0.1rc1 ... 0.9.0 (128 versions)

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple users with the same username when requests are sent in parallel. This issue was fixed in version 0.55.5.…

vulnerable: 0.0.1rc1 ... 0.9.0 (131 versions)

An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, includin…

vulnerable: 0.0.1rc1 ... 0.9.0 (128 versions)

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary fil…

vulnerable: 0.0.1rc1 ... 0.9.0 (131 versions)

A stored Cross-Site Scripting (XSS) vulnerability was identified in the zenml-io/zenml repository, specifically within the 'logo_url' field. By injecting malicious payloads into this field, an attacker could send harmful messages to other …

vulnerable: 0.0.1rc1 ... 0.9.0 (132 versions)

An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current…

vulnerable: 0.0.1rc1 ... 0.9.0 (131 versions)

A session fixation vulnerability exists in the zenml-io/zenml application, where JWT tokens used for user authentication are not invalidated upon logout. This flaw allows an attacker to bypass authentication mechanisms by reusing a victim'…

vulnerable: 0.0.1rc1 ... 0.9.0 (132 versions)

A clickjacking vulnerability exists in zenml-io/zenml versions up to and including 0.55.5 due to the application's failure to set appropriate X-Frame-Options or Content-Security-Policy HTTP headers. This vulnerability allows an attacker to…

vulnerable: 0.44.0, 0.44.1, 0.44.2, 0.44.3

ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with…

vulnerable: 0.0.1rc1 ... 0.9.0 (135 versions)

zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take …

vulnerable: 0.0.1rc1 ... 0.9.0 (133 versions)

A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attack…

vulnerable: 0.0.1rc1 ... 0.9.0 (138 versions)

A reflected Cross-Site Scripting (XSS) vulnerability was identified in zenml-io/zenml version 0.57.1. The vulnerability exists due to improper neutralization of input during web page generation, specifically within the survey redirect para…