In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.
References
Link | Resource |
---|---|
https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643 | Exploit Third Party Advisory |
Configurations
History
19 Sep 2024, 15:57
Type | Values Removed | Values Added |
---|---|---|
First Time |
Lunary lunary
Lunary |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
Summary |
|
|
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:lunary:lunary:1.2.7:*:*:*:*:*:*:* | |
References | () https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643 - Exploit, Third Party Advisory |
27 Jun 2024, 19:25
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-06-27 19:15
Updated : 2024-09-19 15:57
NVD link : CVE-2024-6086
Mitre link : CVE-2024-6086
CVE.ORG link : CVE-2024-6086
JSON object : View
Products Affected
lunary
- lunary
CWE