Critical XSS Vulnerability in Allegro AI’s ClearML Platform – Take Action Now

CVECVE-2024-24594
CVSScvssV3_1: 9.9
SourceCVE-2024-24594

Allegro AI’s ClearML platform is a popular machine learning management tool used by data scientists. Unfortunately, researchers have discovered a serious cross-site scripting (XSS) vulnerability that could allow hackers to execute malicious code on users’ browsers.

XSS vulnerabilities occur when a web application takes untrusted user input and sends it to browsers without validation or escaping. This can allow attackers to embed malicious JavaScript code that gets executed by other users viewing the page. In this case, the vulnerability is in the Debug Samples tab of ClearML’s web interface.

An attacker could craft a specially crafted URL or sample file that, when clicked, would run arbitrary JavaScript on the user’s browser. This JavaScript code would have access to the user’s cookies and could potentially steal sensitive session tokens or login credentials. It may also be able to access private user data within the user’s ClearML account.

The researchers have given this vulnerability a CVSS score of 9.9 out of 10, meaning it is extremely easy to exploit and can have severe impacts. All Allegro AI ClearML users should update to the latest version immediately to patch this vulnerability. Users should also be cautious of any unexpected files or links related to ClearML and be on high alert for phishing attempts trying to exploit this issue.

References