CVE-2024-7760

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-7760

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7760.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-7760

Aliases

GHSA-38r9-3j52-h92v

Published

2025-03-20T10:15:36.590Z

Modified

2026-04-10T05:19:42.203538Z

Severity

9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.

References

https://huntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229

Affected packages

Git / github.com/aimhubio/aim

Affected ranges

Type

GIT

Repo

https://github.com/aimhubio/aim

Events

Introduced

Last affected

88ac143708fad8737094b74e9e5b25689d18f1a6

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.22.0"
        }
    ]
}

Affected versions

Other

pre-launch

v0.*

v0.1.0

v0.1.1

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.2.6

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.2.7rc1

v2.*

v2.1.6

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.7.0

v3.*

v3.0.0

v3.0.0-beta5

v3.0.0-beta6

v3.0.1

v3.0.2

v3.1.0

v3.1.1

v3.17.0

v3.17.1

v3.17.2

v3.17.3

v3.17.4

v3.17.5

v3.18.1

v3.19.0

v3.19.1

v3.2.0

v3.20.1

v3.21.0

v3.22.0

v3.3.0

v3.3.1

v3.3.2

v3.4.0

v3.5.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7760.json"