CVE-2024-2196
published 2024-04-10CVE-2024-2196: aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data…
PriorityP343high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
0.53%
40.8th percentile
aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aimhubio | aimhubio_aim | unspecified – latest | — |
| aimstack | aim | — | — |
| aimstack | aim | 0 – 3.17.5 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
ghsa·2024-04-10
CVE-2024-2196 [HIGH] CWE-352 Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.
OSV
Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
osv·2024-04-10
CVE-2024-2196 [HIGH] Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations
aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-10
Published