Filtered by vendor Lunary-ai
Subscriptions
Filtered by product Lunary
Subscriptions
Total
7 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-7474 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2024-11-14 | 9.1 Critical |
In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data. | ||||
CVE-2024-7473 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2024-11-03 | 6.5 Medium |
An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3. | ||||
CVE-2024-5131 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2024-11-03 | 6.5 Medium |
An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not adequately verify the ownership of the prompt ID. This issue was fixed in version 1.2.25. | ||||
CVE-2024-5130 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2024-11-03 | 7.5 High |
An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically, the endpoint does not verify if the provided project ID belongs to the current user, thereby allowing any dataset to be deleted without proper authentication. This issue was fixed in version 1.2.8. | ||||
CVE-2024-5128 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2024-11-03 | 8.8 High |
An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or project. The issue stems from improper access control checks in the dataset management endpoints, where direct references to object IDs are not adequately secured against unauthorized access. This vulnerability was fixed in version 1.2.25. | ||||
CVE-2024-5127 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2024-11-03 | 5.4 Medium |
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not intended for their use. The vulnerability specifically affects the Team feature, where the backend fails to validate whether a user has paid for a plan before allowing them to send invite links with any role assigned. This could lead to unauthorized access and manipulation of project settings or data. | ||||
CVE-2024-7472 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary | 2024-10-31 | 6.5 Medium |
lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage. |
Page 1 of 1.