Skip to main content

Aim CVE-2024-6578

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2024-07-29 security@huntr.dev
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 29, 2024 - 19:15 nvd
MEDIUM 5.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on aim (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.19.3.

DescriptionNVD

A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab. Affected products include: Aimstack Aim. Version information: version 3.19.3..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Aim

View all
CVE-2024-6396 CRITICAL POC
9.8 Jul 12

A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any fi

CVE-2024-2195 CRITICAL POC
9.8 Apr 10

A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the

CVE-2024-6829 CRITICAL POC
9.1 Mar 20

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extr

CVE-2024-2196 HIGH POC
8.8 Apr 10

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting

CVE-2021-43775 HIGH POC
8.6 Nov 23

Aim is an open-source, self-hosted machine learning experiment tracking tool. Rated high severity (CVSS 8.6), this vulne

CVE-2024-8238 HIGH POC
8.1 Mar 20

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function fro

CVE-2024-6851 HIGH POC
7.5 Mar 20

In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-spec

CVE-2024-10110 HIGH POC
7.5 Mar 20

In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of t

CVE-2025-0190 HIGH POC
7.5 Mar 20

In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. Rated high severity (CVSS 7.5), this vulner

CVE-2024-12778 HIGH POC
7.5 Mar 20

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. Rated high severity (CVSS 7.

CVE-2024-8061 HIGH POC
7.5 Mar 20

In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, cau

CVE-2024-6227 HIGH POC
7.5 Jul 08

A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tr

Share

CVE-2024-6578 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy