CVE-2024-47064

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-47064

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47064.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-47064

Aliases

GHSA-hp6c-f34j-qjj7

Published

2024-09-30T14:57:12.805Z

Modified

2025-12-01T12:33:44.066869Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

Computer Vision Annotation Tool (CVAT) contains a reflected XSS via request endpoints

Details

Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. If an attacker can trick a logged-in CVAT user into visiting a maliciously-constructed URL, they can initiate any API calls on that user's behalf. This gives the attacker temporary access to all data that the victim user has access to. Upgrade to CVAT 2.19.0 or a later version to fix this issue.

Database specific

{
    "cwe_ids": [
        "CWE-79",
        "CWE-81"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47064.json"
}

References

Affected packages

Git / github.com/cvat-ai/cvat

Affected ranges

Type: GIT
Repo: https://github.com/cvat-ai/cvat
Events: Introduced

8ca0236135493d1873dff9a0627f64a14ba6ee18

Fixed

f3164946944ae2545af1d7f82449c4f6d0ae3205

Affected versions

v2.*

v2.16.0

v2.16.1

v2.16.2

v2.16.3

v2.17.0

v2.18.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47064.json"