CVE-2024-7760 HIGH

CVE-2024-7760: CSRF in aimhubio/aim

Vendor Aimhubio
Product aimhubio/aim
Weakness CWE-352 · CSRF
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-4938 WCFM Frontend Manager <= 6.5.13 - Cross-Site Request Forgery CVE-2022-1603 Mail Subscribe List < 2.1.4 - Arbitrary Subscribed User Deletion via CSRF CVE-2025-23530 WordPress Custom Post Type Lockdown plugin <= 1.11 - CSRF to Privilege Escalation vulnerability CVE-2026-32443 WordPress Product Feed PRO for WooCommerce plugin <= 13.5.2 - Cross Site Request Forgery (CSRF) vulnerability CVE-2024-2741 Cross-Site Request Forgery in Planet IGS-4215-16T2S