CVE-2024-7474

Published: Oct 29, 2024Modified: Jan 9, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.

Affected (1)

Products: Lunary: Lunary

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lunary Lunary	Before 1.3.4

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5

Source: security@huntr.dev

Patch

https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871

Source: security@huntr.dev

ExploitIssue TrackingThird Party Advisory

Timeline

No history available yet.