CVE-2024-39272
Published: 06 February 2025
Description
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
Security Summary
CVE-2024-39272 is a cross-site scripting (XSS) vulnerability in the dataset upload functionality of ClearML Enterprise Server version 3.22.5-1533. The flaw allows a specially crafted HTTP request to execute arbitrary HTML code, triggered by sending a series of HTTP requests to the affected component.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation changes scope (S:C) and results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), enabling the execution of arbitrary HTML code in the context of the application.
The primary advisory is detailed in the Talos Intelligence vulnerability report TALOS-2024-2110, available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2110.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- ClearML is an open-source AI platform supporting the entire AI development lifecycle from research to production, including dataset management, model training, and deployment. The vulnerability is in its Enterprise Server's dataset upload functionality, fitting as an 'Other Platforms' AI tool.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
XSS vulnerability in dataset upload allows low-privileged attackers to inject malicious HTML/JS, which executes in victims' browsers when viewing datasets, enabling drive-by compromise via malicious content on legitimate server (T1189), exploitation of public-facing web application (T1190), and theft of session cookies or localStorage credentials like cloud storage secrets (T1539, T1555.003).