CVE-2023-6778

Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/clearml-server prior to 1.13.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/allegroai/clearml-server/commit/4684fd5b74af582c894b67a0a06e865c948b763a	Patch
https://huntr.com/bounties/5f3fffac-0358-48e6-a500-81bac13e0e2b	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:clear:clearml_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-12-18 15:15

Updated : 2024-02-08 10:15

NVD link : CVE-2023-6778

Mitre link : CVE-2023-6778

CVE.ORG link : CVE-2023-6778

JSON object : View

Products Affected

clear

clearml_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-6778", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-12-18T15:15:10.030", "references": [{"url": "https://github.com/allegroai/clearml-server/commit/4684fd5b74af582c894b67a0a06e865c948b763a", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/5f3fffac-0358-48e6-a500-81bac13e0e2b", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/clearml-server prior to 1.13.0."}, {"lang": "es", "value": "Cross-Site Scripting (XSS) almacenado en el repositorio de GitHub allegroai/clearml-server anterior a 1.13.0. Esta vulnerabilidad afecta al servidor de c\u00f3digo abierto ClearML, que no est\u00e1 dise\u00f1ado para usarse como un servicio disponible p\u00fablicamente. Las recomendaciones de seguridad enfatizan que debe colocarse detr\u00e1s de un firewall o VPN de la empresa. Esta vulnerabilidad solo afecta a los usuarios dentro de la misma organizaci\u00f3n (es decir, cuando una parte malintencionada ya tiene acceso a la red interna y a las credenciales de inicio de sesi\u00f3n de ClearML de un usuario)."}], "lastModified": "2024-02-08T10:15:12.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:clear:clearml_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "885DBA48-94E2-4F63-9E10-5AD4CBABBB48", "versionEndExcluding": "1.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}