Vulnerabilities > Lunary > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-29 | CVE-2024-7474 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. | 8.1 |
| 2024-09-13 | CVE-2024-6862 | Cross-Site Request Forgery (CSRF) vulnerability in Lunary 1.2.34 A Cross-Site Request Forgery (CSRF) vulnerability exists in lunary-ai/lunary version 1.2.34 due to overly permissive CORS settings. | 8.1 |
| 2024-06-09 | CVE-2024-5389 | Unspecified vulnerability in Lunary 1.2.13 In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. | 8.1 |
| 2024-06-06 | CVE-2024-5128 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary An Insecure Direct Object Reference (IDOR) vulnerability was identified in lunary-ai/lunary, affecting versions up to and including 1.2.2. | 8.8 |
| 2024-06-06 | CVE-2024-5129 | Missing Authorization vulnerability in Lunary A Privilege Escalation Vulnerability exists in lunary-ai/lunary version 1.2.2, where any user can delete any datasets due to missing authorization checks. | 8.2 |
| 2024-06-06 | CVE-2024-5130 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary An Incorrect Authorization vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, which allows unauthenticated users to delete any dataset. | 7.5 |
| 2024-06-06 | CVE-2024-5133 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. | 8.1 |
| 2024-06-06 | CVE-2024-5277 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Lunary In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. | 7.5 |