17 matches found
CVE-2024-8238 Unrestricted Code Execution in aimhubio/aim
In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safergetattr function from RestrictedPython. This version does not protect against the str.formatmap method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution...
CVE-2024-6578 Stored XSS in aimhubio/aim
A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...
CVE-2024-6578 Stored XSS in aimhubio/aim
A stored cross-site scripting XSS vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the dangerouslySetInnerHTML...
CVE-2024-6396
A vulnerability in the backuprun function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the runhash and repo.path parameters, which can be manipulated to create an...
CVE-2024-6396
An vulnerability in the _backup_run function of aimhubio/aim 3.19.3 allows remote attackers to manipulate run_hash and repo.path to create/write arbitrary files on the host and exfiltrate data, with potential for denial of service, data loss, or remote code execution. Confirmed by connected sourc...
CVE-2024-6396 Arbitrary File Overwrite and Data Exfiltration in aimhubio/aim
A vulnerability in the backuprun function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the runhash and repo.path parameters, which can be manipulated to create an...
CVE-2024-6396 Arbitrary File Overwrite and Data Exfiltration in aimhubio/aim
A vulnerability in the backuprun function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the runhash and repo.path parameters, which can be manipulated to create an...
Denial Of Service (DoS)
aimhubio/aim is vulnerable to Denial Of Service DoS. The vulnerability is due to the remote tracking server being configured to point at itself while using the class method Repo.frompath, which allows an attacker to cause the server to endlessly connect to itself and become unable to respond to...
CVE-2024-6227 Infinite Loop in aimhubio/aim
A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections...
CVE-2024-6227
CVE-2024-6227 affects the open-source tool aimhubio/aim version 3.19.3. The vulnerability arises when the remote tracking server is configured to point at itself, causing the server to endlessly connect to itself. This self-loop leads to a denial of service by rendering the server unresponsive to...
CVE-2024-6227 Infinite Loop in aimhubio/aim
A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections...
CVE-2024-2196
aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...
CVE-2024-2195 Remote Code Execution in aimhubio/aim
A critical Remote Code Execution RCE vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions = 3.0.0. The vulnerability resides in the runsearchapi function of the aim/web/api/runs/views.py file, where improper restricti...
CVE-2024-2196 CSRF Vulnerability in aimhubio/aim
aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...
CVE-2024-2196
The aimhubio/aim Cross-Site Request Forgery (CSRF) vulnerability is caused by missing CSRF and CORS protections in the aim dashboard. An attacker can lure a logged-in user into issuing unauthorized requests, enabling actions such as deleting runs, updating data, and exfiltrating log records or no...
CVE-2024-2195 Remote Code Execution in aimhubio/aim
A critical Remote Code Execution RCE vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions = 3.0.0. The vulnerability resides in the runsearchapi function of the aim/web/api/runs/views.py file, where improper restricti...
CVE-2024-2196 CSRF Vulnerability in aimhubio/aim
aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...