CVE-2024-24562— Security headers not set in vantage6-UI
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-24562
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Security headers not set in vantage6-UI
Source: NVD (National Vulnerability Database)
Vulnerability Description
vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit `68dfa6614` which is expected to be included in future releases. Users are advised to upgrade when a new release is made. While an upgrade path is not available users may modify the docker image build to insert the headers into nginx.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
保护机制失效
Source: NVD (National Vulnerability Database)
Vulnerability Title
vantage6 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
vantage6是vantage6开源的一个用于 Secure Insight eXchange 的开源 priVAcy preserviNg federalTed leArningG 基础架构。 vantage6 4.2.0及之前版本存在安全漏洞,该漏洞源于未设置安全标头。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| vantage6 | vantage6-UI | <= 4.2.0 | - |
II. Public POCs for CVE-2024-24562
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-24562
请登录查看更多情报信息。
Same Patch Batch · vantage6 · 2024-03-14 · 3 CVEs total
| CVE-2024-24770 | 5.3 MEDIUM | Username timing attack on recover password/MFA token in vantage6 |
| CVE-2024-23823 | 4.2 MEDIUM | CORS settings overly permissive in vantage6 |
IV. Related Vulnerabilities
Same vendor: vantage6
- CVE-2025-43866
Vantage6 Server JWT secret not cryptographically secure - CVE-2025-43863
vantage6 lacks brute-force protection on change password fun - CVE-2024-32969
vantage6 collaboration admins can extend their influence by - CVE-2024-23823
CORS settings overly permissive in vantage6 - CVE-2024-24770
Username timing attack on recover password/MFA token in vant
Same weakness: CWE-693
- CVE-2026-26956
vm2: WASM Sandbox Escape (Node 25 only) - CVE-2026-24120
vm2: Sandbox Breakout Through Promise Species - CVE-2026-41316
ERB has an @_init deserialization guard bypass via def_modul - CVE-2026-41469
Beghelli Sicuro24 SicuroWeb Missing Content Security Policy - CVE-2026-40604
ClearanceKit: opfilter system extension can be suspended or
V. Comments for CVE-2024-24562
No comments yet