26 matches found
CVE-2024-5386
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role...
CVE-2024-5386 Account Hijacking via Password Reset Token Leak in lunary-ai/lunary
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role...
CVE-2024-5386 Account Hijacking via Password Reset Token Leak in lunary-ai/lunary
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role...
CVE-2024-5386
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role...
CVE-2024-4147 Insufficient Access Control in lunary-ai/lunary
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application's failure to validate the ownership of the prompt before deletion, on...
CVE-2024-4147
CVE-2024-4147 affects lunary-ai/lunary v1.2.13. The flaw is insufficient access-control granularity: deletion checks only resource-permission, not ownership by project/organization, enabling deletion of prompts from other organizations. This can cause legitimate users to lose access and data inco...
PT-2026-5650
Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.13 Description An insufficient granularity of access control allows users to delete prompts created in other organizations through ID manipulation. The application does not validate the ownership of the prompt befo...
CVE-2025-9803 Improper Authentication in lunary-ai/lunary
lunary-ai/lunary version 1.9.34 is vulnerable to an account takeover due to improper authentication in the Google OAuth integration. The application fails to verify the 'aud' audience field in the access token issued by Google, which is crucial for ensuring the token is intended for the...
EUVD-2024-46386
Malicious code in bioql PyPI...
CVE-2024-11137
An Insecure Direct Object Reference IDOR vulnerability exists in the PATCH /v1/runs/:id/score endpoint of lunary-ai/lunary version 1.6.0. This vulnerability allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the...
CVE-2024-8999
lunary-ai/lunary version v1.4.25 contains an improper access control vulnerability in the POST /api/v1/data-warehouse/bigquery endpoint. This vulnerability allows any user to export the entire database data by creating a stream to Google BigQuery without proper authentication or authorization. Th...
CVE-2024-5129
A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. The vulnerability is present in the dataset deletion functionality, where the application fails to verify if the user requesting the deletion...
CVE-2024-1740
In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which...
CVE-2024-4151
An Improper Access Control vulnerability exists in lunary-ai/lunary version 1.2.2, where users can view and update any prompts in any projects due to insufficient access control checks in the handling of PATCH and GET requests for template versions. This vulnerability allows unauthorized users to...
PT-2024-38366 · Lunary Ai · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version v1.4.2 Description: A SQL injection vulnerability exists in the "/api/v1/external-users" route. The order by clause of the SQL query uses sql.unsafe without prior sanitization, allowing for SQL injection. The...
PT-2024-9679 · Lunary · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.3.2 Description: The issue is related to an Insecure Direct Object Reference IDOR vulnerability, which allows unauthorized access to external user data by manipulating the id parameter in the request URL. This can...
PT-2024-37911 · Lunary Ai · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version 1.2.34 Description: A Cross-Site Request Forgery CSRF vulnerability exists due to overly permissive CORS settings, allowing an attacker to sign up for and create projects or use the instance as if they were a user wit...
CVE-2024-5389
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset...
CVE-2024-4146
In Lunary (lunary-ai/lunary) v1.2.13, CVE-2024-4146 describes an incorrect authorization vulnerability in the checkProjectAccess middleware. The vulnerability relies on only verifying organization membership and fails to enforce explicit project-level permissions checked via the account_project t...
PT-2024-29408 · Lunary · Lunary
Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary version v1.2.13 Description: The issue is related to an incorrect authorization vulnerability that allows unauthorized users to access and manipulate projects within an organization they should not have access to. This...