Lunary
by Lunary AI
CVEs (71)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-6087 | 0.00 | — | 0.00 | Sep 13, 2024 | An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to… | |||
| CVE-2024-6582 | 0.00 | — | 0.00 | Sep 13, 2024 | A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to… | |||
| CVE-2024-6086 | 0.00 | — | 0.00 | Jun 27, 2024 | In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor'… | |||
| CVE-2024-5755 | 0.00 | — | 0.00 | Jun 27, 2024 | In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and… | |||
| CVE-2024-5714 | 0.00 | — | 0.01 | Jun 27, 2024 | In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other… | |||
| CVE-2024-5389 | 0.00 | — | 0.00 | Jun 9, 2024 | In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the… | |||
| CVE-2024-4146 | 0.00 | — | 0.01 | Jun 8, 2024 | In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess`… | |||
| CVE-2024-5328 | 0.00 | — | 0.00 | Jun 6, 2024 | A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in… | |||
| CVE-2024-5248 | 0.00 | — | 0.00 | Jun 6, 2024 | In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing… | |||
| CVE-2024-5130 | 0.00 | — | 0.00 | Jun 6, 2024 | An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically,… | |||
| CVE-2024-5131 | 0.00 | — | 0.00 | Jun 6, 2024 | An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not… | |||
| CVE-2024-5129 | 0.00 | — | 0.00 | Jun 6, 2024 | A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user… | |||
| CVE-2024-5133 | 0.00 | — | 0.01 | Jun 6, 2024 | In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET… | |||
| CVE-2024-5478 | 0.00 | — | 0.00 | Jun 6, 2024 | A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before… | |||
| CVE-2024-5126 | 0.00 | — | 0.00 | Jun 6, 2024 | An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. Affected versions include 1.2.2 up to but not including 1.2.25. The vulnerability allows unauthorized users to update… | |||
| CVE-2024-5128 | 0.00 | — | 0.01 | Jun 6, 2024 | An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or… | |||
| CVE-2024-3504 | 0.00 | — | 0.00 | Jun 6, 2024 | An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is… | |||
| CVE-2024-5277 | 0.00 | — | 0.00 | Jun 6, 2024 | In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue… | |||
| CVE-2024-5127 | 0.00 | — | 0.00 | Jun 6, 2024 | In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend… | |||
| CVE-2024-4148 | 0.00 | — | 0.01 | Jun 1, 2024 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the… |
- CVE-2024-6087Sep 13, 2024risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to…
- CVE-2024-6582Sep 13, 2024risk 0.00cvss —epss 0.00
A broken access control vulnerability exists in the latest version of lunary-ai/lunary. The `saml.ts` file allows a user from one organization to update the Identity Provider (IDP) settings and view the SSO metadata of another organization. This vulnerability can lead to…
- CVE-2024-6086Jun 27, 2024risk 0.00cvss —epss 0.00
In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor'…
- CVE-2024-5755Jun 27, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and…
- CVE-2024-5714Jun 27, 2024risk 0.00cvss —epss 0.01
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other…
- CVE-2024-5389Jun 9, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the…
- CVE-2024-4146Jun 8, 2024risk 0.00cvss —epss 0.01
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. Specifically, the vulnerability is located in the `checkProjectAccess`…
- CVE-2024-5328Jun 6, 2024risk 0.00cvss —epss 0.00
A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. The vulnerability arises due to the application's failure to validate user-supplied URLs before using them in…
- CVE-2024-5248Jun 6, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing…
- CVE-2024-5130Jun 6, 2024risk 0.00cvss —epss 0.00
An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. The vulnerability is due to the lack of proper authorization checks in the dataset deletion endpoint. Specifically,…
- CVE-2024-5131Jun 6, 2024risk 0.00cvss —epss 0.00
An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not…
- CVE-2024-5129Jun 6, 2024risk 0.00cvss —epss 0.00
A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user…
- CVE-2024-5133Jun 6, 2024risk 0.00cvss —epss 0.01
In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET…
- CVE-2024-5478Jun 6, 2024risk 0.00cvss —epss 0.00
A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before…
- CVE-2024-5126Jun 6, 2024risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. Affected versions include 1.2.2 up to but not including 1.2.25. The vulnerability allows unauthorized users to update…
- CVE-2024-5128Jun 6, 2024risk 0.00cvss —epss 0.01
An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or…
- CVE-2024-3504Jun 6, 2024risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is…
- CVE-2024-5277Jun 6, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue…
- CVE-2024-5127Jun 6, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend…
- CVE-2024-4148Jun 1, 2024risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the…
Page 3 of 4