CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-7760: CSRF in aimhubio/aim

7.4 CVSS

Description

aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.

Classification

CVE ID: CVE-2024-7760

CVSS Base Severity: HIGH

CVSS Base Score: 7.4

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Problem Types

CWE-352 Cross-Site Request Forgery (CSRF)

Affected Products

Vendor: aimhubio

Product: aimhubio/aim

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.31% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7760
https://huntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229

Timeline

2025-03-20 11:40:32 UTC
CVE

CSRF in aimhubio/aim