We use cookies to improve your experience on our site.
AVID-2026-R1332
Description
Cross-site Scripting (XSS) - Stored in allegroai/clearml-server (CVE-2023-6778)
Details
Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/clearml-server prior to 1.13.0.
Reason for inclusion in AVID: CVE-2023-6778 is a stored cross-site scripting vulnerability in allegroai/clearml-server (prior to 1.13.0). ClearML-server is a web service used to manage AI experiments and pipelines, making this a vulnerability in a software component commonly used in general-purpose AI stacks. This aligns with software supply-chain issues in AI systems (dependencies/runtimes serving AI workloads). It is a security vulnerability (XSS) with documented impact signals. The report provides explicit CVE details, affected artifact, and references.
References
- NVD entry
- https://huntr.com/bounties/5f3fffac-0358-48e6-a500-81bac13e0e2b
- https://github.com/allegroai/clearml-server/commit/4684fd5b74af582c894b67a0a06e865c948b763a
Affected or Relevant Artifacts
- Developer: allegroai
- Deployer: allegroai
- Artifact Details:
| Type | Name |
|---|---|
| System | allegroai/clearml-server |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| Base Score | 5.4 |
| Base Severity | 🟠 Medium |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🟢 Low |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | 🟢 Low |
| Integrity Impact | 🟢 Low |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-79 | CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-12-18
- Version: 0.3.3
- AVID Entry