Vendor CVEs
Lunary AI
All CVEs
71 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-5131 | 0.00 | — | 0.00 | Jun 6, 2024 | An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not… | |||
| CVE-2024-5129 | 0.00 | — | 0.00 | Jun 6, 2024 | A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user… | |||
| CVE-2024-5133 | 0.00 | — | 0.01 | Jun 6, 2024 | In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET… | |||
| CVE-2024-5478 | 0.00 | — | 0.00 | Jun 6, 2024 | A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before… | |||
| CVE-2024-5126 | 0.00 | — | 0.00 | Jun 6, 2024 | An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. Affected versions include 1.2.2 up to but not including 1.2.25. The vulnerability allows unauthorized users to update… | |||
| CVE-2024-5128 | 0.00 | — | 0.01 | Jun 6, 2024 | An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or… | |||
| CVE-2024-3504 | 0.00 | — | 0.00 | Jun 6, 2024 | An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is… | |||
| CVE-2024-5277 | 0.00 | — | 0.00 | Jun 6, 2024 | In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue… | |||
| CVE-2024-5127 | 0.00 | — | 0.00 | Jun 6, 2024 | In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend… | |||
| CVE-2024-4148 | 0.00 | — | 0.01 | Jun 1, 2024 | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the… | |||
| CVE-2024-4154 | 0.00 | — | 0.00 | May 21, 2024 | In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not… | |||
| CVE-2024-4151 | 0.00 | — | 0.00 | May 20, 2024 | An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows… | |||
| CVE-2024-3761 | 0.00 | — | 0.00 | May 20, 2024 | In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid… | |||
| CVE-2024-1739 | 0.00 | — | 0.01 | Apr 16, 2024 | lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address… | |||
| CVE-2024-1626 | 0.00 | — | 0.00 | Apr 16, 2024 | An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization… | |||
| CVE-2024-1738 | 0.00 | — | 0.01 | Apr 16, 2024 | An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply… | |||
| CVE-2024-1666 | 0.00 | — | 0.00 | Apr 16, 2024 | In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI.… | |||
| CVE-2024-1902 | 0.00 | — | 0.00 | Apr 10, 2024 | lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make… | |||
| CVE-2024-1740 | 0.00 | — | 0.01 | Apr 10, 2024 | In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in… | |||
| CVE-2024-1741 | 0.00 | — | 0.01 | Apr 10, 2024 | lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on… | |||
| CVE-2024-1625 | 0.00 | — | 0.00 | Apr 10, 2024 | An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where… |
- CVE-2024-5131Jun 6, 2024risk 0.00cvss —epss 0.00
An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. The vulnerability allows unauthorized users to view any prompts in any projects by supplying a specific prompt ID to an endpoint that does not…
- CVE-2024-5129Jun 6, 2024risk 0.00cvss —epss 0.00
A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user…
- CVE-2024-5133Jun 6, 2024risk 0.00cvss —epss 0.01
In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET…
- CVE-2024-5478Jun 6, 2024risk 0.00cvss —epss 0.00
A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before…
- CVE-2024-5126Jun 6, 2024risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. Affected versions include 1.2.2 up to but not including 1.2.25. The vulnerability allows unauthorized users to update…
- CVE-2024-5128Jun 6, 2024risk 0.00cvss —epss 0.01
An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. This vulnerability allows unauthorized users to view, update, or delete any dataset_prompt or dataset_prompt_variation within any dataset or…
- CVE-2024-3504Jun 6, 2024risk 0.00cvss —epss 0.00
An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. This vulnerability allows the elevated user to delete projects within the organization. The issue is…
- CVE-2024-5277Jun 6, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue…
- CVE-2024-5127Jun 6, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. This issue arises due to insufficient backend…
- CVE-2024-4148Jun 1, 2024risk 0.00cvss —epss 0.01
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the…
- CVE-2024-4154May 21, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not…
- CVE-2024-4151May 20, 2024risk 0.00cvss —epss 0.00
An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows…
- CVE-2024-3761May 20, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.2.2, the DELETE endpoint located at `packages/backend/src/api/v1/datasets` is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid…
- CVE-2024-1739Apr 16, 2024risk 0.00cvss —epss 0.01
lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insensitive, allowing the creation of multiple accounts with the same email address…
- CVE-2024-1626Apr 16, 2024risk 0.00cvss —epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization…
- CVE-2024-1738Apr 16, 2024risk 0.00cvss —epss 0.01
An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply…
- CVE-2024-1666Apr 16, 2024risk 0.00cvss —epss 0.00
In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. The vulnerability stems from the lack of server-side checks to verify if a user is on a free account during the radar creation process, which is only enforced in the web UI.…
- CVE-2024-1902Apr 10, 2024risk 0.00cvss —epss 0.00
lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make…
- CVE-2024-1740Apr 10, 2024risk 0.00cvss —epss 0.01
In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in…
- CVE-2024-1741Apr 10, 2024risk 0.00cvss —epss 0.01
lunary-ai/lunary version 1.0.1 is vulnerable to improper authorization, allowing removed members to read, create, modify, and delete prompt templates using an old authorization token. Despite being removed from an organization, these members can still perform operations on…
- CVE-2024-1625Apr 10, 2024risk 0.00cvss —epss 0.00
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where…
Page 2 of 2