Vulnerabilities > Lunary > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-27 | CVE-2024-5755 | Unspecified vulnerability in Lunary In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. | 5.3 |
| 2024-06-27 | CVE-2024-6086 | Unspecified vulnerability in Lunary 1.2.7 In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. | 4.3 |
| 2024-06-06 | CVE-2024-5126 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in the lunary-ai/lunary repository, specifically within the versions.patch functionality for updating prompts. | 6.5 |
| 2024-06-06 | CVE-2024-5131 | Unspecified vulnerability in Lunary An Improper Access Control vulnerability exists in the lunary-ai/lunary repository, affecting versions up to and including 1.2.2. | 6.5 |
| 2024-06-06 | CVE-2024-5248 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. | 6.5 |
| 2024-06-06 | CVE-2024-5478 | Unspecified vulnerability in Lunary 1.2.7 A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. | 6.1 |
| 2024-06-06 | CVE-2024-3504 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. | 6.5 |
| 2024-06-06 | CVE-2024-5127 | Unspecified vulnerability in Lunary In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. | 5.4 |
| 2024-05-21 | CVE-2024-4154 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. | 6.5 |
| 2024-04-16 | CVE-2024-1666 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. | 5.3 |