Vulnerabilities > Lunary

DATE CVE VULNERABILITY TITLE RISK
2024-09-13 CVE-2024-6582 Missing Authentication for Critical Function vulnerability in Lunary
A broken access control vulnerability exists in the latest version of lunary-ai/lunary.
network
low complexity
lunary CWE-306
4.3
2024-09-13 CVE-2024-6862 Cross-Site Request Forgery (CSRF) vulnerability in Lunary 1.2.34
A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings.
network
low complexity
lunary CWE-352
8.1
2024-09-13 CVE-2024-6867 Insufficient Granularity of Access Control vulnerability in Lunary 1.4.9
An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint.
network
low complexity
lunary CWE-1220
6.5
2024-06-27 CVE-2024-5714 Unspecified vulnerability in Lunary 1.2.4
In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges.
network
high complexity
lunary
6.8
2024-06-27 CVE-2024-5755 Unspecified vulnerability in Lunary
In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address.
network
low complexity
lunary
5.3
2024-06-27 CVE-2024-6086 Unspecified vulnerability in Lunary 1.2.7
In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control.
network
low complexity
lunary
4.3
2024-06-09 CVE-2024-5389 Unspecified vulnerability in Lunary 1.2.13
In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization.
network
low complexity
lunary
8.1
2024-06-08 CVE-2024-4146 Incorrect Authorization vulnerability in Lunary 1.2.13
In lunary-ai/lunary version v1.2.13, an incorrect authorization vulnerability exists that allows unauthorized users to access and manipulate projects within an organization they should not have access to.
network
low complexity
lunary CWE-863
critical
9.8
2024-06-06 CVE-2024-5126 Unspecified vulnerability in Lunary
An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts.
network
low complexity
lunary
6.5
2024-06-06 CVE-2024-5128 Unspecified vulnerability in Lunary
An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2.
network
low complexity
lunary
8.8