Cross-site Scripting (XSS) - Stored in allegroai/clearml-server
Description
Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/clearml-server prior to 1.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in ClearML Server prior to 1.13.0 allows attackers to inject arbitrary web scripts.
Vulnerability
A stored Cross-site Scripting (XSS) vulnerability exists in the ClearML Server web application in versions prior to 1.13.0. An attacker can inject malicious scripts that are stored on the server and executed in the browsers of other users when they view the affected content [1][2].
Exploitation
To exploit the vulnerability, an attacker needs to have access to the ClearML Server web interface and input a crafted payload in a field that is not properly sanitized. The payload is then stored and later rendered to other users, leading to script execution in their browsers [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, or performing unauthorized actions on behalf of the victim within the ClearML Server application [2].
Mitigation
The vulnerability is fixed in ClearML Server version 1.13.0, released on December 18, 2023 [1]. Users should upgrade to this version or later. No workarounds are documented.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <1.13.0
- allegroai/allegroai/clearml-serverv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.