CVE-2024-7474: IDOR in lunary-ai/lunary

9.1 CVSS

Description

In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.

Classification

CVE ID: CVE-2024-7474

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.1

Affected Products

Vendor: lunary-ai

Product: lunary-ai/lunary

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 22.01% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871
https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5

Timeline

2025-01-10 00:31:10 UTC
CVE

IDOR in lunary-ai/lunary