VYPR
← All advisories
High severityNVD Advisory· Published Jun 6, 2024· Updated Aug 1, 2024

Cross-site Scripting (XSS) in SAML metadata endpoint in lunary-ai/lunary

CVE-2024-5478

Description

A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint /auth/saml/${org?.id}/metadata of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the orgId parameter supplied by the user before incorporating it into the generated response. Specifically, the endpoint generates XML responses for SAML metadata, where the orgId parameter is directly embedded into the XML structure without proper sanitization or validation. This flaw allows an attacker to inject arbitrary JavaScript code into the generated SAML metadata page, leading to potential theft of user cookies or authentication tokens.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XSS in lunary-ai/lunary SAML metadata endpoint due to unsanitized orgId allows attacker to inject arbitrary JavaScript.

Vulnerability

A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint /auth/saml/${org?.id}/metadata of lunary-ai/lunary version 1.2.7. The flaw arises because the application fails to escape or validate the orgId parameter before incorporating it into the generated XML response. This allows an attacker to inject arbitrary JavaScript code into the SAML metadata page [1][2].

Exploitation

An attacker can craft a malicious orgId parameter containing JavaScript code. When a user visits the affected endpoint with the crafted parameter, the script executes in the context of the SAML metadata page. No authentication is required to trigger the vulnerability, as the attacker only needs to trick a victim into clicking a specially crafted link [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to theft of user cookies or authentication tokens, potentially resulting in account takeover or unauthorized access [2].

Mitigation

The vendor has addressed this issue in a subsequent release. Users should upgrade to the latest version of lunary-ai/lunary. No workarounds are available [2].

References
  1. NVD - CVE-2024-5478
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lunarynpm
<= 1.2.7

Affected products

2
  • ghsa-coords
    pkg:npm/lunary
    Range: <= 1.2.7
  • lunary-ai/lunary-ai/lunaryv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.