Allegro AI’s ClearML platform confronts a significant security challenge with the disclosure of CVE-2024-24594, a Cross-Site Scripting (XSS) vulnerability prevalent across all versions of its web server component. This vulnerability empowers a remote attacker to execute a JavaScript payload, leveraging the exploitation vector when a user accesses the Debug Samples tab in the web UI. The potential fallout includes the compromise of user sessions, unauthorized access to sensitive data, and potential manipulation of user interactions.
The National Institute of Standards and Technology (NIST) assigns a CVSS score of 5.4 (MEDIUM) to this vulnerability, reflecting the potential risk associated with its exploitation. The provided vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) outlines the attack specifics. While the NVD CVSS score may differ from the CNA score, both sources emphasize the critical nature of this security loophole.
For detailed technical insights and advisory information, refer to the HiddenLayer website. Users are strongly advised to take immediate action to address this vulnerability and safeguard their systems.
Reference:
