Описание
Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().
Ссылки
- Product
- ExploitIssue Tracking
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:aimstack:aim:3.28.0:*:*:*:*:python:*:*
EPSS
Процентиль: 57%
0.00345
Низкий
8.8 High
CVSS3
Дефекты
CWE-79
Связанные уязвимости
EPSS
Процентиль: 57%
0.00345
Низкий
8.8 High
CVSS3
Дефекты
CWE-79