CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1902 – Session Reuse Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1902
10 Apr 2024 — lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker can exploit this by using an old authorization token to send a PATCH request, modifying the organization's name even after being removed from the organization. This issue is due to incorrect synchronization and aff... • https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2 • CWE-821: Incorrect Synchronization •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1741 – Improper Authorization in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1741
10 Apr 2024 — lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on prompt templates by sending HTTP requests with their previously captured authorization token. This issue exposes organizations to unauthorized access and manipulation of sensitive template data. lunary-ai/lunary versión 1.0.1 es vulnerabl... • https://github.com/lunary-ai/lunary/commit/d8e2e73efd53ab4e92cf47bbf4b639a9f08853d2 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1643 – Unauthorized Organization Access in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1643
10 Apr 2024 — By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant security risk. The flaw is due to insufficient verification of user permissions when joining an organization. • https://github.com/lunary-ai/lunary/commit/67eaefe1c77c882c628780940c704a117b561d51 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1625 – IDOR Vulnerability in lunary-ai/lunary
https://notcve.org/view.php?id=CVE-2024-1625
10 Apr 2024 — An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with... • https://github.com/lunary-ai/lunary/commit/88f98e29f19da9d1f5de45c5b163fd5b48e0bcec • CWE-639: Authorization Bypass Through User-Controlled Key CWE-863: Incorrect Authorization •