CVE-2024-5133

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-5133

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5133.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-5133

Published

2024-06-06T19:16:05.557Z

Modified

2025-11-20T12:30:53.143442Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the GET /v1/users/me/org endpoint, which lists all users in a team. This allows any authenticated user to capture the recovery token of another user and subsequently change that user's password without consent, effectively taking over the account. The issue lies in the inclusion of the recovery_token attribute in the users object returned by the API.

References

https://huntr.com/bounties/6057598d-93c4-4a94-bb80-5bd508013c5b

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type: GIT
Repo: https://github.com/lunary-ai/lunary
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e8242e697a13fbe9de8fffa5002cf56c3b7d17d2

Affected versions

1.*

1.2.4

Other

test1

test2

vtest

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.2.0

v1.2.1

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.2

v1.2.3

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5133.json"