Vulnerabilities > Lunary > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-29 | CVE-2024-7472 | Injection vulnerability in Lunary 1.2.26 lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). | 6.5 |
| 2024-10-29 | CVE-2024-7473 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary 1.3.2 An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. | 6.5 |
| 2024-09-13 | CVE-2024-6087 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. | 6.5 |
| 2024-09-13 | CVE-2024-6582 | Missing Authentication for Critical Function vulnerability in Lunary A broken access control vulnerability exists in the latest version of lunary-ai/lunary. | 4.3 |
| 2024-09-13 | CVE-2024-6867 | Insufficient Granularity of Access Control vulnerability in Lunary 1.4.9 An information disclosure vulnerability exists in the lunary-ai/lunary, specifically in the `runs/{run_id}/related` endpoint. | 6.5 |
| 2024-06-27 | CVE-2024-5714 | Unspecified vulnerability in Lunary 1.2.4 In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. | 6.8 |
| 2024-06-27 | CVE-2024-5755 | Unspecified vulnerability in Lunary In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. | 5.3 |
| 2024-06-27 | CVE-2024-6086 | Unspecified vulnerability in Lunary 1.2.7 In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. | 4.3 |
| 2024-06-06 | CVE-2024-5126 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. | 6.5 |
| 2024-06-06 | CVE-2024-5131 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. | 6.5 |