VYPR

Lunary

by Lunary AI

npm: lunary

CVEs (71)

  • CVE-2024-6087Sep 13, 2024
    risk 0.00cvss epss 0.00

    An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to…

  • CVE-2024-6582Sep 13, 2024
    risk 0.00cvss epss 0.00

    A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to…

  • CVE-2024-6086Jun 27, 2024
    risk 0.00cvss epss 0.00

    In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor'…

  • CVE-2024-5755Jun 27, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and…

  • CVE-2024-5714Jun 27, 2024
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other…

  • CVE-2024-5389Jun 9, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the…

  • CVE-2024-4146Jun 8, 2024
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess`…

  • CVE-2024-5328Jun 6, 2024
    risk 0.00cvss epss 0.00

    A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in…

  • CVE-2024-5248Jun 6, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing…

  • CVE-2024-5130Jun 6, 2024
    risk 0.00cvss epss 0.00

    An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically,…

  • CVE-2024-5131Jun 6, 2024
    risk 0.00cvss epss 0.00

    An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not…

  • CVE-2024-5129Jun 6, 2024
    risk 0.00cvss epss 0.00

    A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user…

  • CVE-2024-5133Jun 6, 2024
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET…

  • CVE-2024-5478Jun 6, 2024
    risk 0.00cvss epss 0.00

    A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before…

  • CVE-2024-5126Jun 6, 2024
    risk 0.00cvss epss 0.00

    An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. Affected versions include 1.2.2 up to but not including 1.2.25. The vulnerability allows unauthorized users to update…

  • CVE-2024-5128Jun 6, 2024
    risk 0.00cvss epss 0.01

    An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or…

  • CVE-2024-3504Jun 6, 2024
    risk 0.00cvss epss 0.00

    An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is…

  • CVE-2024-5277Jun 6, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue…

  • CVE-2024-5127Jun 6, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend…

  • CVE-2024-4148Jun 1, 2024
    risk 0.00cvss epss 0.01

    A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the…