CVE-2024-2196

HIGH8.8EPSS 0.54%

Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations

發布日:2024/4/10修改日:2024/4/10

描述

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.

受影響套件(1)

PyPI/aimfrom 0, <= 3.17.5

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-2196
PATCHhttps://github.com/aimhubio/aim
WEBhttps://huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628c8b68f