Vulnerabilities > Lunary

DATE CVE VULNERABILITY TITLE RISK
2024-11-14 CVE-2024-3760 Unspecified vulnerability in Lunary
In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability.
network
low complexity
lunary
7.5
2024-11-14 CVE-2024-3379 Incorrect Authorization vulnerability in Lunary
In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to.
network
low complexity
lunary CWE-863
8.1
2024-11-14 CVE-2024-3501 Insecure Storage of Sensitive Information vulnerability in Lunary
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints.
network
low complexity
lunary CWE-922
8.1
2024-11-14 CVE-2024-3502 Insecure Storage of Sensitive Information vulnerability in Lunary
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors.
network
low complexity
lunary CWE-922
8.1
2024-11-01 CVE-2024-7456 SQL Injection vulnerability in Lunary 1.4.2
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2.
network
low complexity
lunary CWE-89
critical
9.8
2024-10-29 CVE-2024-7472 Injection vulnerability in Lunary 1.2.26
lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup).
network
low complexity
lunary CWE-74
6.5
2024-10-29 CVE-2024-7473 Authorization Bypass Through User-Controlled Key vulnerability in Lunary 1.3.2
An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2.
network
low complexity
lunary CWE-639
6.5
2024-10-29 CVE-2024-7474 Authorization Bypass Through User-Controlled Key vulnerability in Lunary
In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists.
network
low complexity
lunary CWE-639
8.1
2024-10-29 CVE-2024-7475 Unspecified vulnerability in Lunary
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization.
network
low complexity
lunary
critical
9.1
2024-09-13 CVE-2024-6087 Unspecified vulnerability in Lunary
An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch.
network
low complexity
lunary
6.5