In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.
References
Link | Resource |
---|---|
https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 | Patch |
https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
14 Nov 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
04 Nov 2024, 13:49
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
|
First Time |
Lunary
Lunary lunary |
|
CWE | CWE-639 | |
CPE | cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | |
References | () https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 - Patch | |
References | () https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871 - Exploit, Issue Tracking, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.1 |
29 Oct 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-29 13:15
Updated : 2024-11-14 14:15
NVD link : CVE-2024-7474
Mitre link : CVE-2024-7474
CVE.ORG link : CVE-2024-7474
JSON object : View
Products Affected
lunary
- lunary
CWE
CWE-639
Authorization Bypass Through User-Controlled Key