An IDOR vulnerability exists in the 'Evaluations' function of the 'umgws datasets' section in lunary-ai/lunary versions 1.3.2. This vulnerability allows an authenticated user to update other users' prompts by manipulating the 'id' parameter in the request. The issue is fixed in version 1.4.3.
References
Link | Resource |
---|---|
https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa | Patch |
https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5 | Exploit Third Party Advisory |
Configurations
History
03 Nov 2024, 17:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
31 Oct 2024, 15:11
Type | Values Removed | Values Added |
---|---|---|
First Time |
Lunary
Lunary lunary |
|
Summary |
|
|
References | () https://github.com/lunary-ai/lunary/commit/88b55b01fcbab0fbbc5b8032a38d0345af98ecfa - Patch | |
References | () https://huntr.com/bounties/afecd927-b5f6-44ba-9147-5c45091beda5 - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:lunary:lunary:1.3.2:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CWE | CWE-639 |
29 Oct 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-29 13:15
Updated : 2024-11-03 17:15
NVD link : CVE-2024-7473
Mitre link : CVE-2024-7473
CVE.ORG link : CVE-2024-7473
JSON object : View
Products Affected
lunary
- lunary
CWE
CWE-639
Authorization Bypass Through User-Controlled Key