How severe is CVE-2024-47165?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.4 out of 10.

What type of vulnerability is CVE-2024-47165?

This is classified as CWE-285, which is a common weakness in software security.

CVE-2024-47165 - MEDIUM Severity | CVSS 5.4

Vulnerability Description

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.

Related Vulnerabilities

CVE-2018-16086

MEDIUM

CVSS:5.4(Medium)

Insufficient policy enforcement in extensions API in Google Chrome prior to 69.0.3497.81 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via...

CWE-2852018

CVE-2019-14870

MEDIUM

CVSS:5.4(Medium)

All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clien...

CWE-2852019

CVE-2019-1842

MEDIUM

CVSS:5.4(Medium)

A vulnerability in the Secure Shell (SSH) authentication function of Cisco IOS XR Software could allow an authenticated, remote attacker to successfully log in to an affected device using two distinct...

CWE-2852019

CVE-2020-3267

MEDIUM

CVSS:5.4(Medium)

A vulnerability in the API subsystem of Cisco Unified Contact Center Express (Unified CCX) could allow an authenticated, remote attacker to change the availability state of any agent. The vulnerabilit...

CWE-2852020

CVE-2021-42331

MEDIUM

CVSS:5.4(Medium)

The “Study Edit” function of ShinHer StudyOnline System does not perform permission control. After logging in with user’s privilege, remote attackers can access and edit other users’ tutorial schedule...

CWE-2852021

CVE-2022-0829

MEDIUM

CVSS:5.4(Medium)

Improper Authorization in GitHub repository webmin/webmin prior to 1.990.

CWE-2852022