CVE-2024-8101

A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. The vulnerability arises due to the use of `dangerouslySetInnerHTML` without proper sanitization, allowing arbitrary JavaScript execution when rendering tracked texts. This can be exploited by injecting malicious HTML content during the training process, which is then rendered unsanitized in the Text Explorer.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://huntr.com/bounties/60cf2b93-a9a2-435e-a222-3d6abde26adb	Exploit
https://huntr.com/bounties/60cf2b93-a9a2-435e-a222-3d6abde26adb	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:aimstack:aim:3.23.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:32

NVD link : CVE-2024-8101

Mitre link : CVE-2024-8101

CVE.ORG link : CVE-2024-8101

JSON object : View

Products Affected

aimstack

aim

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-8101", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:41.130", "references": [{"url": "https://huntr.com/bounties/60cf2b93-a9a2-435e-a222-3d6abde26adb", "tags": ["Exploit"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/60cf2b93-a9a2-435e-a222-3d6abde26adb", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. The vulnerability arises due to the use of `dangerouslySetInnerHTML` without proper sanitization, allowing arbitrary JavaScript execution when rendering tracked texts. This can be exploited by injecting malicious HTML content during the training process, which is then rendered unsanitized in the Text Explorer."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en el componente Text Explorer de aimhubio/aim versi\u00f3n 3.23.0. Esta vulnerabilidad surge debido al uso de `dangerouslySetInnerHTML` sin la debida depuraci\u00f3n, lo que permite la ejecuci\u00f3n arbitraria de JavaScript al renderizar textos rastreados. Esto puede explotarse inyectando contenido HTML malicioso durante el proceso de entrenamiento, que posteriormente se renderiza sin depurar en Text Explorer."}], "lastModified": "2025-04-01T20:32:35.820", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:aimstack:aim:3.23.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99D76F67-9F8E-413B-B64B-108170DE3764"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}