Quay Config-Editor Clickjacking via IFrame Admin Privilege Abuse
CVE-2023-4956 Published on November 7, 2023

Quay: clickjacking on config-editor page severity
A flaw was found in Quay. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they intend to click on the top-level page. During the pentest, it has been detected that the config-editor page is vulnerable to clickjacking. This flaw allows an attacker to trick an administrator user into clicking on buttons on the config-editor panel, possibly reconfiguring some parts of the Quay instance.

NVD

Vulnerability Analysis

CVE-2023-4956 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public. 1 day later.

Weakness Type

What is a Clickjacking Vulnerability?

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.

CVE-2023-4956 has been classified to as a Clickjacking vulnerability or weakness.


Products Associated with CVE-2023-4956

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-4956 are published in Red Hat Quay:

Red Hat Quay
 

Affected Versions

Red Hat Quay 3:

Exploit Probability

EPSS
0.17%
Percentile
38.57%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.