5 matches found
CVE-2024-10762
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This...
CVE-2024-10762
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This...
CVE-2024-10762 Missing Authorization in lunary-ai/lunary
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This...
CVE-2024-10762 Missing Authorization in lunary-ai/lunary
In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. However, the route lacks proper access control, such as middleware to ensure that only users with appropriate roles can delete evaluator data. This...
CVE-2024-10762
CVE-2024-10762 affects lunary-ai/lunary prior to version 1.5.9. The /v1/evaluators/ endpoint does not enforce access control, permitting low-privilege users to issue DELETE requests that delete evaluator data, causing permanent data loss and potential operational disruption. Evidence from multipl...