CVE-2024-2196: Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations

April 10, 2024

aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user’s consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.

References

github.com/advisories/GHSA-99w2-67h8-5948
github.com/aimhubio/aim
huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628c8b68f
nvd.nist.gov/vuln/detail/CVE-2024-2196

Detect and mitigate CVE-2024-2196 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →