CVE-2024-7760
published 2025-03-20CVE-2024-7760: aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive…
PriorityP351critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.47%
37.5th percentile
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aimhubio | aimhubio_aim | unspecified – latest | — |
| aimstack | aim | — | — |
| aimstack | aim | 0 – 3.22.0 | — |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
vendor_oracle7.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Aim vulnerable to Cross-Site Request Forgery
osv·2025-03-20
CVE-2024-7760 [HIGH] Aim vulnerable to Cross-Site Request Forgery
Aim vulnerable to Cross-Site Request Forgery
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.
GHSA
Aim vulnerable to Cross-Site Request Forgery
ghsa·2025-03-20
CVE-2024-7760 [HIGH] CWE-352 Aim vulnerable to Cross-Site Request Forgery
Aim vulnerable to Cross-Site Request Forgery
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.
Oracle
Oracle Oracle Utilities Applications Risk Matrix: User Interface (CodeMirror) — CVE-2020-7760
vendor_oracle·2024-01-15·CVSS 7.5
CVE-2020-7760 [MEDIUM] Oracle Oracle Utilities Applications Risk Matrix: User Interface (CodeMirror) — CVE-2020-7760
Oracle Oracle Utilities Applications Risk Matrix: User Interface (CodeMirror) vulnerability
CVE: CVE-2020-7760
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published