CVE-2024-8556

A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on the main branch. The vulnerability occurs in the view for inspecting detailed run information, where a user-controllable string (run ID) is appended and rendered as HTML. This allows an attacker to execute arbitrary JavaScript code in the context of the user's browser.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b	Exploit
https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:modelscope:agentscope:*:*:*:*:*:*:*:*

History

01 Apr 2025, 20:31

Type	Values Removed	Values Added
CPE		cpe:2.3:a:modelscope:agentscope::::::::
First Time		Modelscope agentscope Modelscope
References	~~() https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b -~~	() https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b - Exploit

20 Mar 2025, 13:15

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b -~~	() https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b -
Summary		(es) Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en modelscope/agentscope, a partir del último commit 21161fe en la rama principal. La vulnerabilidad se produce en la vista para inspeccionar información detallada de la ejecución, donde se añade una cadena controlable por el usuario (ID de ejecución) y se representa como HTML. Esto permite a un atacante ejecutar código JavaScript arbitrario en el contexto del navegador del usuario.

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:31

NVD link : CVE-2024-8556

Mitre link : CVE-2024-8556

CVE.ORG link : CVE-2024-8556

JSON object : View

Products Affected

modelscope

agentscope

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-8556", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:43.230", "references": [{"url": "https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b", "tags": ["Exploit"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/8439f16b-5256-4466-bb7d-371572572a4b", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in modelscope/agentscope, as of the latest commit 21161fe on the main branch. The vulnerability occurs in the view for inspecting detailed run information, where a user-controllable string (run ID) is appended and rendered as HTML. This allows an attacker to execute arbitrary JavaScript code in the context of the user's browser."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en modelscope/agentscope, a partir del \u00faltimo commit 21161fe en la rama principal. La vulnerabilidad se produce en la vista para inspeccionar informaci\u00f3n detallada de la ejecuci\u00f3n, donde se a\u00f1ade una cadena controlable por el usuario (ID de ejecuci\u00f3n) y se representa como HTML. Esto permite a un atacante ejecutar c\u00f3digo JavaScript arbitrario en el contexto del navegador del usuario."}], "lastModified": "2025-04-01T20:31:16.397", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:modelscope:agentscope:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5726D6D6-9147-4E3C-910A-4BCAC19B5764", "versionEndIncluding": "2024-08-09"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}