CVE-2024-7474
9.1
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| lunary-ai | lunary-ai/lunary | unspecified < 1.3.4 | affected |
Weaknesses
- CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871
- https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.