CVE-2024-6578

A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the `dangerouslySetInnerHTML` function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab.
References
Link Resource
https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 Exploit Issue Tracking Third Party Advisory
https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 Exploit Issue Tracking Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:aimstack:aim:3.19.3:*:*:*:*:*:*:*

History

21 Nov 2024, 09:49

Type Values Removed Values Added
References () https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 - Exploit, Issue Tracking, Third Party Advisory () https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 - Exploit, Issue Tracking, Third Party Advisory

20 Aug 2024, 14:51

Type Values Removed Values Added
References () https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 - () https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 - Exploit, Issue Tracking, Third Party Advisory
CPE cpe:2.3:a:aimstack:aim:3.19.3:*:*:*:*:*:*:*
First Time Aimstack aim
Aimstack
CVSS v2 : unknown
v3 : 7.2
v2 : unknown
v3 : 5.4

30 Jul 2024, 13:33

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de Cross Site Scripting (XSS) almacenado en aimhubio/aim versión 3.19.3. La vulnerabilidad surge de la neutralización incorrecta de la entrada durante la generación de la página web, específicamente en la pestaña de registros para ejecuciones. Los registros de salida del terminal se muestran utilizando la función `dangerfullySetInnerHTML` en React, que es susceptible a ataques XSS. Un atacante puede aprovechar esta vulnerabilidad inyectando scripts maliciosos en los registros, que se ejecutarán cuando un usuario vea la pestaña de registros.

29 Jul 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-29 19:15

Updated : 2024-11-21 09:49


NVD link : CVE-2024-6578

Mitre link : CVE-2024-6578

CVE.ORG link : CVE-2024-6578


JSON object : View

Products Affected

aimstack

  • aim
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')