CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3504 – Improper Access Control in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-3504
06 Jun 2024 — An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is resolved in version 1.2.7. Existe una vulnerabilidad de control de acceso inadecuado en las versiones lunary-ai/lunary hasta la 1.2.2 incluida, donde un administrador puede actualizar cualquier usuario de la organización al propieta... • https://github.com/lunary-ai/lunary/commit/f7507f0949f6634f725ebb8da37c44f76542901f • CWE-284: Improper Access Control •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5277 – Weak Password Recovery Mechanism in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-5277
06 Jun 2024 — In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the r... • https://huntr.com/bounties/6aaba769-d99c-48cf-90d2-7abad984213d • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5127 – Improper Access Control in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-5127
06 Jun 2024 — In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend validation of roles and permissions, enabling unauthorized users to join a project and potentially exploit roles and permissions not intended for their use. The vulnerability specifically affects the Team feature, where the backend f... • https://github.com/lunary-ai/lunary/commit/b7bd3a830a0f47ba07d0fd57bf78c4dd8a216297 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-4148 – Redos (Regular Expression Denial of Service) in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-4148
01 Jun 2024 — A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the application and potentially render it completely non-functional. Specifically, the vulnerability can be triggered by sending a specially crafted request to the application, leading to a denial of service where the application crashes. Existe u... • https://huntr.com/bounties/eca4ad45-2a38-4f3c-9ec1-8205cd51be31 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-4154 – Incorrect Synchronization in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-4154
21 May 2024 — In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the necessary permissions or being assigned to the project. This issue allows for unauthorized modification of project names, potentially leading to confusion or unauthorized access to project resources. En lunary-ai/lunary v... • https://huntr.com/bounties/e56509af-f7af-4e1e-a04b-9cb53545f30f • CWE-639: Authorization Bypass Through User-Controlled Key CWE-821: Incorrect Synchronization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3761 – Missing Authorization on Delete Datasets in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-3761
20 May 2024 — In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset by sending a DELETE request to the endpoint. The issue was fixed in version 1.2.8. The impact of this vulnerability is significant as it permits unauthorized users to delete datasets, potentially leading to dat... • https://github.com/lunary-ai/lunary/commit/14078c1d2b8766075bf655f187ece24c7a787776 • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1739 – Case Insensitive Email Address Validation Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1739
16 Apr 2024 — lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address by varying the case of the email characters. For example, accounts for 'abc@gmail.com' and 'Abc@gmail.com' can both be created, leading to potential impersonation and confusion among users. lunary-ai/lunary es vulnerable a un problem... • https://github.com/lunary-ai/lunary/commit/7351157a21e5acd0162b4528bcae9d65b1c95695 • CWE-821: Incorrect Synchronization •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1626 – IDOR Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1626
16 Apr 2024 — An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated u... • https://github.com/lunary-ai/lunary/commit/9eb9e526edff8bf82ae032f7a04867c8d58572bc • CWE-250: Execution with Unnecessary Privileges CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1738 – Incorrect Authorization in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1738
16 Apr 2024 — An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation ID, due to the lack of project ID verification in the SQL query. As a result, attackers can gain access to potentially private data contained within the evaluation results. Existe una vulnerabilidad de autorización... • https://github.com/lunary-ai/lunary/commit/a4e61122e61dc31460cfbe54d15fae389cc440ce • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1666 – Unauthorized Radar Creation in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1666
16 Apr 2024 — In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI. As a result, attackers can bypass the intended account upgrade requirement by directly sending crafted requests to the server, enabling the creation of an unlimited number of radars without payment. En lunary-ai/lunary versión 1.0.0,... • https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54 • CWE-770: Allocation of Resources Without Limits or Throttling •