CVE-2024-6578

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-6578
A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the `dangerouslySetInnerHTML` function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 Exploit Issue Tracking Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:aimstack:aim:3.19.3:*:*:*:*:*:*:*
History

20 Aug 2024, 14:51

Type Values Removed Values Added
References () https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 - () https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680 - Exploit, Issue Tracking, Third Party Advisory
CVSS v2 : unknown
v3 : 7.2 		v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:aimstack:aim:3.19.3:*:*:*:*:*:*:*
First Time Aimstack
Aimstack aim

30 Jul 2024, 13:33

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de Cross Site Scripting (XSS) almacenado en aimhubio/aim versión 3.19.3. La vulnerabilidad surge de la neutralización incorrecta de la entrada durante la generación de la página web, específicamente en la pestaña de registros para ejecuciones. Los registros de salida del terminal se muestran utilizando la función `dangerfullySetInnerHTML` en React, que es susceptible a ataques XSS. Un atacante puede aprovechar esta vulnerabilidad inyectando scripts maliciosos en los registros, que se ejecutarán cuando un usuario vea la pestaña de registros.

29 Jul 2024, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-29 19:15

Updated : 2024-08-20 14:51

NVD link : CVE-2024-6578

Mitre link : CVE-2024-6578

CVE.ORG link : CVE-2024-6578

JSON object : View

Products Affected

aimstack

  • aim
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')