CVE-2024-8101 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in aimhubio/aim version 3.23.0 allows attackers to inject malicious HTML/JavaScript during the training process. When users view tracked texts in the Text Explorer component, the malicious code executes in their browser context. This affects anyone using the vulnerable version of aim with the Text Explorer feature enabled.

💻 Affected Systems

Products:

aimhubio/aim

Versions: Version 3.23.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using the Text Explorer component to render tracked texts from training processes.

📦 What is this software?

Aim by Aimstack

View all CVEs affecting Aim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed within the aim application.

🟢

If Mitigated

Limited impact with proper content security policies and network segmentation, though XSS could still affect application functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to inject content during training process, which typically requires some level of access to the aim system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.23.1 or later

Vendor Advisory: https://huntr.com/bounties/60cf2b93-a9a2-435e-a222-3d6abde26adb

Restart Required: Yes

Instructions:

1. Update aim to version 3.23.1 or later using pip: pip install --upgrade aim==3.23.1
2. Restart any running aim services or applications
3. Verify the update was successful

🔧 Temporary Workarounds

Disable Text Explorer

all

Temporarily disable the Text Explorer component to prevent exploitation

Modify aim configuration to disable Text Explorer feature

Implement Content Security Policy

all

Add strict CSP headers to prevent script execution

Add 'Content-Security-Policy: script-src 'self'' to HTTP headers

🧯 If You Can't Patch

Implement strict input validation and sanitization for all text inputs
Use network segmentation to isolate aim instances from critical systems

🔍 How to Verify

Check if Vulnerable:

Check aim version: aim version or pip show aim | grep Version

Check Version:

aim version

Verify Fix Applied:

Verify version is 3.23.1 or later and test Text Explorer with test payloads

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/JavaScript patterns in training text inputs
Multiple failed attempts to inject script tags

Network Indicators:

Unexpected outbound connections from aim instances
Suspicious JavaScript execution patterns

SIEM Query:

source="aim" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2024-8101

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.12% exploit probability (31.8th percentile)

Published: March 20, 2025

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8101, you might also want to check these: