Vulnerabilities > Lunary > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-06 | CVE-2024-5248 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. | 6.5 |
| 2024-06-06 | CVE-2024-5478 | Unspecified vulnerability in Lunary 1.2.7 A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. | 6.1 |
| 2024-06-06 | CVE-2024-3504 | Unspecified vulnerability in Lunary An improper access control vulnerability exists in lunary-ai/lunary versions up to and including 1.2.2, where an admin can update any organization user to the organization owner. | 6.5 |
| 2024-06-06 | CVE-2024-5127 | Unspecified vulnerability in Lunary In lunary-ai/lunary versions 1.2.2 through 1.2.25, an improper access control vulnerability allows users on the Free plan to invite other members and assign them any role, including those intended for Paid and Enterprise plans only. | 5.4 |
| 2024-05-21 | CVE-2024-4154 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulnerability allows unprivileged users to rename projects they do not have access to. | 6.5 |
| 2024-04-16 | CVE-2024-1666 | Unspecified vulnerability in Lunary In lunary-ai/lunary version 1.0.0, an authorization flaw exists that allows unauthorized radar creation. | 5.3 |
| 2024-04-10 | CVE-2024-1625 | Authorization Bypass Through User-Controlled Key vulnerability in Lunary 0.3.0 An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. | 6.5 |