Vulnerabilities > Lunary > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-06 | CVE-2024-5248 | Missing Authorization vulnerability in Lunary In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. | 6.5 |
| 2024-06-06 | CVE-2024-5478 | Cross-site Scripting vulnerability in Lunary 1.2.7 A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. | 6.1 |
| 2024-06-06 | CVE-2024-3504 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. | 6.5 |
| 2024-06-06 | CVE-2024-5127 | Missing Authorization vulnerability in Lunary In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. | 5.4 |