VYPR

Lunary

by Lunary AI

npm: lunary

CVEs (71)

  • CVE-2024-4154May 21, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not…

  • CVE-2024-4151May 20, 2024
    risk 0.00cvss epss 0.00

    An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows…

  • CVE-2024-3761May 20, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid…

  • CVE-2024-1739Apr 16, 2024
    risk 0.00cvss epss 0.01

    lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address…

  • CVE-2024-1626Apr 16, 2024
    risk 0.00cvss epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization…

  • CVE-2024-1738Apr 16, 2024
    risk 0.00cvss epss 0.01

    An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply…

  • CVE-2024-1666Apr 16, 2024
    risk 0.00cvss epss 0.00

    In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI.…

  • CVE-2024-1902Apr 10, 2024
    risk 0.00cvss epss 0.00

    lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make…

  • CVE-2024-1740Apr 10, 2024
    risk 0.00cvss epss 0.01

    In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in…

  • CVE-2024-1741Apr 10, 2024
    risk 0.00cvss epss 0.01

    lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on…

  • CVE-2024-1625Apr 10, 2024
    risk 0.00cvss epss 0.00

    An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where…

Page 4 of 4