CVE-2024-7473

Published: Oct 29, 2024Modified: Nov 3, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3.

Affected (1)

Products: Lunary: Lunary

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lunary Lunary	Version 1.3.2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa

Source: security@huntr.dev

Patch

https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5

Source: security@huntr.dev

ExploitThird Party Advisory

Timeline

No history available yet.