Aimhubio's Aim Vulnerable to Cross-Site Request Forgery (CSRF) Attacks
CVE-2024-2196

8.8HIGH

Key Information:

Vendor
Aimhubio
Status
Aimhubio/aim
Vendor
CVE Published:
10 April 2024

Summary

The Aimhubio Aim product has a significant vulnerability that exposes the system to Cross-Site Request Forgery (CSRF) attacks. This flaw permits malicious actors to perform unauthorized actions on behalf of users, including the deletion of important runs, unauthorized updates to critical data, and the theft of sensitive information such as log records and notes. The root cause of this vulnerability lies in the inadequate CSRF and CORS protections within the aim dashboard. Attackers can exploit this weakness by luring users into executing harmful scripts, which trigger unauthorized requests to the aim server. Such actions can lead to severe consequences, including data loss and unauthorized modifications of user data.

Affected Version(s)

aimhubio/aim <= unspecified

References

https://huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-2196 : Aimhubio's Aim Vulnerable to Cross-Site Request Forgery (CSRF) Attacks | SecurityVulnerability.io