CRITICAL🇵🇱 Wersja polska

CVE-2024-24594

CVSS 9.9v3.1pub. 2024-02-06upd. 2024-11-21

A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI’s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.

🤖 AI Analysis
How it works

An attacker with minimal privilege level (authenticated user) can deliver a malicious payload that is subsequently rendered without proper sanitization in the Debug Samples tab of the ClearML web interface. When another user views this tab, the browser executes the embedded JavaScript code in the context of the application. The vulnerability works remotely over the network without requiring attacker interaction beyond initial payload preparation.

Impact

An attacker can hijack a user session, steal sensitive data (tokens, credentials, ML model information), and in a changed context (Scope:Changed) potentially affect resources beyond the victim's direct session. High impact ratings on confidentiality, integrity, and availability indicate the possibility of complete account takeover of the attacked user.

Mitigation & patch

Apply patches available from the vendor according to the references. Additional temporary measures: restrict access to the ClearML web interface exclusively to trusted users and internal networks, monitor activity in the Debug Samples tab for anomalies.

Who is affected

All versions of the web server component of the Allegro AI ClearML platform (as described: 'all versions of the web server component').

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Clear Clearml

    APP
    Clear
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2024-24592CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia w komponencie fileserver platformy ClearML

CVE-2024-24593CRITICAL9.6PL ✓ten sam produkt

CSRF w ClearML API Server — podszywanie się pod użytkownika

CVE-2024-24590HIGH8.0ten sam produkt

Deserialization of untrusted data can occur in versions 0.17.0 to 1.14.2 of the client SDK of Allegro AI’s Cle...

CVE-2024-24591HIGH8.0ten sam produkt

A path traversal vulnerability in versions 1.4.0 to 1.14.1 of the client SDK of Allegro AI’s ClearML platform ...

CVE-2024-24595MEDIUM6.0ten sam produkt

Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulti...