CVE-2024-6578: Aim Stored Cross-site Scripting Vulnerability

July 29, 2024 (updated July 30, 2024)

A stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab.

References

github.com/advisories/GHSA-p9f2-jg9w-cx69
github.com/aimhubio/aim
huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680
nvd.nist.gov/vuln/detail/CVE-2024-6578

Detect and mitigate CVE-2024-6578 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →