CVE-2024-2196 — HIGH (8.8) — White Hats Nepal

Vulnerability Description

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.

CVSS Score

8.8

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Aimstack	Aim	3.17.5

Related Weaknesses (CWE)

CWE-352

References

https://huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628c8b68fExploitThird Party Advisory
https://huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628c8b68fExploitThird Party Advisory

FAQ

What is CVE-2024-2196?

CVE-2024-2196 is a vulnerability with a CVSS score of 8.8 (HIGH). aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the us...

How severe is CVE-2024-2196?

CVE-2024-2196 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-2196?

Check the references section above for vendor advisories and patch information. Affected products include: Aimstack Aim.