CVE-2024-6086

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.
References
Link Resource
https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*

History

19 Sep 2024, 15:57

Type Values Removed Values Added
First Time Lunary lunary
Lunary
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 4.3
Summary
  • (es) En la versión 1.2.7 de lunary-ai/lunary, cualquier usuario autenticado, independientemente de su rol, puede cambiar el nombre de una organización debido a un control de acceso inadecuado. La función checkAccess() no está implementada, lo que permite a los usuarios con los privilegios más bajos, como la función 'Editor de mensajes', modificar los atributos de la organización sin la autorización adecuada.
CWE NVD-CWE-noinfo
CPE cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:*
References () https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643 - () https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643 - Exploit, Third Party Advisory

27 Jun 2024, 19:25

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-27 19:15

Updated : 2024-09-19 15:57


NVD link : CVE-2024-6086

Mitre link : CVE-2024-6086

CVE.ORG link : CVE-2024-6086


JSON object : View

Products Affected

lunary

  • lunary
CWE
NVD-CWE-noinfo CWE-284

Improper Access Control