CVE-2024-27132
published 2024-02-23CVE-2024-27132: Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in…
PriorityP342critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.87%
54.3th percentile
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.
The vulnerability stems from lack of sanitization over template variables.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lfprojects | mlflow | <= 2.9.2 | — |
| lfprojects | mlflow | >= 0 < 2.10.0 | 2.10.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cross-site Scripting in MLFlow
osv·2024-02-24
CVE-2024-27132 [CRITICAL] Cross-site Scripting in MLFlow
Cross-site Scripting in MLFlow
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.
The vulnerability stems from lack of sanitization over template variables.
GHSA
Cross-site Scripting in MLFlow
ghsa·2024-02-24
CVE-2024-27132 [CRITICAL] CWE-79 Cross-site Scripting in MLFlow
Cross-site Scripting in MLFlow
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.
The vulnerability stems from lack of sanitization over template variables.
OSV
CVE-2024-27132: Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe
osv·2024-02-23
CVE-2024-27132 CVE-2024-27132: Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook.
The vulnerability stems from lack of sanitization over template variables.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-02-23
Published