CSRF in aimhubio/aim

Vulnerability

Analysis

CVE-2024-7760 describes a Cross-Site Request Forgery (CSRF) vulnerability in the aimhubio/aim tracking server version 3.22.0. The root cause is an overly permissive CORS (Cross-Origin Resource Sharing) configuration that allows cross-origin requests from all origins (*). This misconfiguration enables an attacker to craft malicious web pages that can trigger unauthorized actions on behalf of an authenticated user against the tracking server [1][2].

Exploitation

Scenario

An attacker can exploit this vulnerability by tricking a victim who is currently authenticated to an aim tracking server into visiting a malicious page. Because the CORS policy allows any origin, the attacker's page can make arbitrary cross-origin requests to the tracking server's endpoints, inheriting the victim's session credentials. The vulnerability affects all endpoints of the tracking server, meaning an attacker can interact with any API without restriction [2][3].

Impact

The CSRF vulnerability is particularly severe because it can be chained with other existing vulnerabilities in aim, such as remote code execution (RCE), denial of service (DoS), and arbitrary file read/write. By combining CSRF with these exploits, an attacker could achieve full compromise of the tracking server and its data, including execution of arbitrary code on the server, making the attack impact critical [2].

Mitigation

Status

As of the publication date, the vulnerability exists in aim version 3.22.0. Users are advised to update to a patched version as soon as one becomes available. The project maintainers should implement proper CORS origin validation to only allow trusted domains, and users should consider additional protections such as CSRF tokens and same-site cookie attributes. No CVE was found that supersedes this one in the references; the provided references link to the project page [1], the NVD entry [2], and the Huntr bounty page [3].