CVE-2024-2196 HIGH

CVE-2024-2196: CSRF Vulnerability in aimhubio/aim

Vendor Aimhubio
Product aimhubio/aim
Weakness CWE-352 · CSRF
Published April 10, 2024
Last update August 1, 2024

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.

Key dates

02Disclosure timeline

April 10, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE