Vulnerabilities > Lunary
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-13 | CVE-2024-6582 | Missing Authentication for Critical Function vulnerability in Lunary A broken access control vulnerability exists in the latest version of lunary-ai/lunary. | 4.3 |
| 2024-09-13 | CVE-2024-6862 | Cross-Site Request Forgery (CSRF) vulnerability in Lunary 1.2.34 A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. | 8.1 |
| 2024-09-13 | CVE-2024-6867 | Insufficient Granularity of Access Control vulnerability in Lunary 1.4.9 An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. | 6.5 |
| 2024-06-27 | CVE-2024-5714 | Unspecified vulnerability in Lunary 1.2.4 In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. | 6.8 |
| 2024-06-27 | CVE-2024-5755 | Unspecified vulnerability in Lunary In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. | 5.3 |
| 2024-06-27 | CVE-2024-6086 | Unspecified vulnerability in Lunary 1.2.7 In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. | 4.3 |
| 2024-06-09 | CVE-2024-5389 | Unspecified vulnerability in Lunary 1.2.13 In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. | 8.1 |
| 2024-06-08 | CVE-2024-4146 | Incorrect Authorization vulnerability in Lunary 1.2.13 In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to. | 9.8 |
| 2024-06-06 | CVE-2024-5126 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. | 6.5 |
| 2024-06-06 | CVE-2024-5128 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. | 8.8 |