CVE-2024-7760 — Aim vulnerable to Cross-Site Request Forgery

Description

aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.

How to fix CVE-2024-7760

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-7760 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 3.22.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-7760
PATCHgithub.com/aimhubio/aim
WEBhuntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229