CVE-2024-6578

A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the `dangerouslySetInnerHTML` function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680

Configurations

No configuration.

History

30 Jul 2024, 13:33

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de Cross Site Scripting (XSS) almacenado en aimhubio/aim versión 3.19.3. La vulnerabilidad surge de la neutralización incorrecta de la entrada durante la generación de la página web, específicamente en la pestaña de registros para ejecuciones. Los registros de salida del terminal se muestran utilizando la función `dangerfullySetInnerHTML` en React, que es susceptible a ataques XSS. Un atacante puede aprovechar esta vulnerabilidad inyectando scripts maliciosos en los registros, que se ejecutarán cuando un usuario vea la pestaña de registros.

29 Jul 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-29 19:15

Updated : 2024-07-30 13:33

NVD link : CVE-2024-6578

Mitre link : CVE-2024-6578

CVE.ORG link : CVE-2024-6578

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.2 /10