CVE-2024-7760 – aim

Package

Manager: pip
Name: aim
Vulnerable Version: >=0 <=3.22.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00048 pctl0.14221

Details

Aim vulnerable to Cross-Site Request Forgery aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.

Metadata

Created: 2025-03-20T12:32:46Z
Modified: 2025-07-22T14:34:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-38r9-3j52-h92v/GHSA-38r9-3j52-h92v.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-38r9-3j52-h92v
Finding: F007
Auto approve: 1