4 matches found
CVE-2024-2196
The aimhubio/aim Cross-Site Request Forgery (CSRF) vulnerability is caused by missing CSRF and CORS protections in the aim dashboard. An attacker can lure a logged-in user into issuing unauthorized requests, enabling actions such as deleting runs, updating data, and exfiltrating log records or no...
CVE-2021-43775
CVE-2021-43775 affects the Aim open‑source, self‑hosted machine learning experiment tracker. Public records describe a path traversal vulnerability in versions prior to 3.1.0, exploitable by manipulating references to files using dot-dot-slash sequences or absolute paths to access arbitrary files...
CVE-2024-8238
CVE-2024-8238 affects aimhubio/aim v3.22.0 where AimQL uses an outdated safer_getattr() from RestrictedPython, failing to block str.format_map() and allowing access to arbitrary Python attributes (e.g., os.environ) and potential unrestricted code execution if a malicious .dll/.so is loaded. Multi...
CVE-2025-51464
The CVE-2025-51464 entry affects aimhubio Aim version 3.28.0. A cross-site scripting (XSS) vulnerability exists in the /api/reports endpoint where Python code is submitted and interpreted by Pyodide when a report is viewed, allowing execution of arbitrary JavaScript in a victim’s browser via pyod...