Vulnerabilities > Lunary
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-06 | CVE-2024-5129 | Missing Authorization vulnerability in Lunary A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. | 8.2 |
| 2024-06-06 | CVE-2024-5130 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. | 7.5 |
| 2024-06-06 | CVE-2024-5131 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. | 6.5 |
| 2024-06-06 | CVE-2024-5133 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. | 8.1 |
| 2024-06-06 | CVE-2024-5248 | Missing Authorization vulnerability in Lunary In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. | 6.5 |
| 2024-06-06 | CVE-2024-5328 | Server-Side Request Forgery (SSRF) vulnerability in Lunary A Server-Side Request Forgery (SSRF) vulnerability exists in the lunary-ai/lunary application, specifically within the endpoint '/auth/saml/tto/download-idp-xml'. | 9.3 |
| 2024-06-06 | CVE-2024-5478 | Cross-site Scripting vulnerability in Lunary 1.2.7 A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. | 6.1 |
| 2024-06-06 | CVE-2024-3504 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. | 6.5 |
| 2024-06-06 | CVE-2024-5127 | Missing Authorization vulnerability in Lunary In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. | 5.4 |
| 2024-06-06 | CVE-2024-5277 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Lunary In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. | 7.5 |