CVE-2023-4956

Summary

A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-1021: Improper Restriction of Rendered UI Layers or Frames

Workarounds

It is recommended to configure the webserver to perform the inclusion of the X-Frame-Options: Deny header.

ADP Enrichment

CVE Program Container

Additional References

References