CVE-2024-7474

In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

14 Nov 2024, 14:15

Type Values Removed Values Added
CWE CWE-284

04 Nov 2024, 13:49

Type Values Removed Values Added
CPE cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*
First Time Lunary
Lunary lunary
References () https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 - () https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5 - Patch
References () https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871 - () https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871 - Exploit, Issue Tracking, Third Party Advisory
CVSS v2 : unknown
v3 : 9.1
v2 : unknown
v3 : 8.1
Summary
  • (es) En la versión 1.3.2 de lunary-ai/lunary, existe una vulnerabilidad de referencia directa a objetos inseguros (IDOR). Un usuario puede ver o eliminar usuarios externos manipulando el parámetro 'id' en la URL de solicitud. La aplicación no realiza comprobaciones adecuadas en el parámetro 'id', lo que permite el acceso no autorizado a los datos de usuarios externos.
CWE CWE-639

29 Oct 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-29 13:15

Updated : 2024-11-14 14:15


NVD link : CVE-2024-7474

Mitre link : CVE-2024-7474

CVE.ORG link : CVE-2024-7474


JSON object : View

Products Affected

lunary

  • lunary
CWE
CWE-639

Authorization Bypass Through User-Controlled Key