Mindsdb: >> Mindsdb >> 24.7.4.1 Security Vulnerabilities
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.
CVSS Score
7.1
EPSS Score
0.002
Published
2024-09-12
A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.
CVSS Score
9.0
EPSS Score
0.001
Published
2024-09-12
Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-09-12
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.
CVSS Score
7.1
EPSS Score
0.002
Published
2024-09-12
Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.
CVSS Score
7.1
EPSS Score
0.002
Published
2024-09-12