Vulnerabilities > Lunary

DATE CVE VULNERABILITY TITLE RISK
2024-06-06 CVE-2024-5129 Missing Authorization vulnerability in Lunary
A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks.
network
low complexity
lunary CWE-862
8.2
2024-06-06 CVE-2024-5130 Unspecified vulnerability in Lunary
An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset.
network
low complexity
lunary
7.5
2024-06-06 CVE-2024-5131 Unspecified vulnerability in Lunary
An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2.
network
low complexity
lunary
6.5
2024-06-06 CVE-2024-5133 Unspecified vulnerability in Lunary
In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses.
network
low complexity
lunary
8.1
2024-06-06 CVE-2024-5248 Unspecified vulnerability in Lunary
In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint.
network
low complexity
lunary
6.5
2024-06-06 CVE-2024-5328 Unspecified vulnerability in Lunary
A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'.
network
low complexity
lunary
critical
9.3
2024-06-06 CVE-2024-5478 Unspecified vulnerability in Lunary 1.2.7
A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7.
network
low complexity
lunary
6.1
2024-06-06 CVE-2024-3504 Unspecified vulnerability in Lunary
An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner.
network
low complexity
lunary
6.5
2024-06-06 CVE-2024-5127 Unspecified vulnerability in Lunary
In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only.
network
low complexity
lunary
5.4
2024-06-06 CVE-2024-5277 Weak Password Recovery Mechanism for Forgotten Password vulnerability in Lunary
In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use.
network
high complexity
lunary CWE-640
7.5