CVE-2024-4154

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the...

CVE-2024-4154 Incorrect Synchronization in lunary-ai/lunary

In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. Specifically, an unprivileged user can send a PATCH request to the project's endpoint with a new name for a project, despite not having the...

Quarkus: security checks in resteasy reactive may trigger a denial of service

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any...

CVE-2024-1626

An Insecure Direct Object Reference IDOR vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly...

CVE-2024-1626

An Insecure Direct Object Reference IDOR vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly...

CVE-2024-1626

CVE-2024-1626 affects lunary-ai/lunary (version 0.3.0). Affected component: project update endpoint /v1/projects/:projectId. Root cause: insufficient authorization checks allow authenticated users to modify any project’s name by referencing a projectId not owned by them, enabling cross-organizati...

CVE-2024-1626 IDOR Vulnerability in lunary-ai/lunary

An Insecure Direct Object Reference IDOR vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly...

CVE-2024-1626 IDOR Vulnerability in lunary-ai/lunary

An Insecure Direct Object Reference IDOR vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly...

CVE-2024-1902

lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker...

CVE-2024-1902

CVE-2024-1902 affects lunary-ai/lunary. The issue is a session-reuse vulnerability where a removed user can alter an organization’s name using an old authorization token via the orgs.patch route. Root cause: lack of validation to verify membership in the organization before permitting changes, du...

CVE-2024-1902 Session Reuse Vulnerability in lunary-ai/lunary

lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker...

PT-2024-18409 · Lunary · Lunary

Name of the Vulnerable Software and Affected Versions: lunary-ai/lunary affected versions not specified Description: The issue allows a removed user to change the organization name without proper authorization due to the lack of validation to check if a user is still part of an organization befor...

GHSA-2P2X-P7WJ-J5H2 PsiTransfer: File integrity violation

Summary The absence of restrictions on the endpoint, which is designed for uploading files, allows an attacker who received the id of a file distribution to change the files that are in this distribution. Details Vulnerable endpoint: PATCH /files/id PoC 1. Create a file distribution. 2. Go to the...

PsiTransfer: Violation of the integrity of file distribution

Summary The absence of restrictions on the endpoint, which allows you to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution. Details Vulnerable endpoint: POST /files PoC 1. Create a file distribution. 2. Go to the link address ...

PT-2024-24087

Name of the Vulnerable Software and Affected Versions PsiTransfer versions prior to 2.2.0 Description The issue arises from the absence of restrictions on the "POST /files" endpoint, which allows users to create a path for uploading a file in a file distribution. This enables an attacker to add...

CVE-2023-52265

IDURAR aka idurar-erp-crm through 2.0.1 allows stored XSS via a PATCH request with a crafted JSON email template in the /api/email/update data...

Cross site scripting

IDURAR aka idurar-erp-crm through 2.0.1 allows stored XSS via a PATCH request with a crafted JSON email template in the /api/email/update data...

CVE-2023-52265

IDURAR aka idurar-erp-crm through 2.0.1 allows stored XSS via a PATCH request with a crafted JSON email template in the /api/email/update data...

CVE-2023-52265

CVE-2023-52265 affects IDURAR (idurar-erp-crm)

PT-2023-31948 · Idurar · Idurar

Name of the Vulnerable Software and Affected Versions: IDURAR aka idurar-erp-crm versions 2.0.1 and earlier Description: The issue allows stored XSS via a PATCH request with a crafted JSON email template in the "/api/email/update" data. This can be exploited by sending a specially crafted request...