Vulnerabilities > CVE-2024-6086 - Unspecified vulnerability in Lunary 1.2.7

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

lunary

NVD

Published: 2024-06-27

Updated: 2024-09-19

Summary

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.

Vulnerable Configurations

Part	Description	Count
Application	Lunary Lunary Lunary 1.2.7	1

References

https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643