Lucene search

Veracode Vulnerability DatabaseVERACODE:46376

HistoryApr 12, 2024 - 4:09 a.m.

Cross-Site Request Forgery (CSRF)

2024-04-1204:09:28

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross-site request forgery

cors protection

aim dashboard

attacker actions

data theft

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

aim is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability is due to the lack of CSRF and CORS protection in the aim dashboard, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user’s consent.

CPENameOperatorVersion
aimle4.1.0.dev20231012
aimle4.1.0.dev20231012

CPE	Name	Operator	Version
	aim	le	4.1.0.dev20231012
	aim	le	4.1.0.dev20231012

References

github.com/advisories/GHSA-99w2-67h8-5948

huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628c8b68f

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.2%

JSON

Related for VERACODE:46376