CVE-2024-6086

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-6086

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-6086.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-6086

Published

2024-06-27T19:15:19Z

Modified

2025-01-14T12:17:41.033315Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.

References

https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643

Affected packages

Git / github.com/lunary-ai/lunary

Affected ranges

Type: GIT
Repo: https://github.com/lunary-ai/lunary
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

c57cd50fa0477fd2a2efe60810c0099eebd66f54

Affected versions

1.*

1.2.4

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.5

v1.2.6

v1.2.7