Aimhubio Aim Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Aimhubio Aim version 3.28.0. This issue allows remote attackers to execute arbitrary JavaScript in the browsers of victims. The vulnerability arises from the application's acceptance of malicious Python code submitted to the '/api/reports' endpoint. When the report is viewed, the code is interpreted and executed by Pyodide, without any sanitization or sandbox restrictions to prevent JavaScript execution via 'pyodide.code.run_js()'.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser, potentially leading to the theft of authentication cookies and tokens, access to sensitive information within the application, and the ability to make authenticated requests on behalf of the victim.

Reproduction

To reproduce this vulnerability, create a report through the '/api/reports' endpoint, including malicious Python code that utilizes Pyodide's JavaScript execution capabilities. Once the report is saved, view it to trigger the execution of the embedded JavaScript.

Remediation

Users are advised to update to Aim version 3.29.1, where this vulnerability has been fixed.