Cross-Site Request Forgery Vulnerability in AimHubio Tracking Server
CVE-2024-7760

7.4HIGH

Key Information:

Vendor: Aimhubio
Status: Aimhubio/aim
Vendor: CVE Published:; 20 March 2025

Summary

AimHubio's Aim version 3.22.0 is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability due to overly permissive CORS settings. This flaw allows for cross-origin requests from any source, enabling attackers to exploit all endpoints of the tracking server. The CSRF attacks could be leveraged in conjunction with other vulnerabilities, potentially facilitating remote code execution, denial of service, and arbitrary file read/write, thereby posing significant security challenges.

Affected Version(s)

aimhubio/aim <= unspecified

References

https://huntr.com/bounties/2038df5f-4829-4040-8573-67bf9b...

CVSS V3.0

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Aug 13, 2024