Hughcrt

**Name of the Vulnerable Software and Affected Versions** lunary-ai/lunary version v1.4.2 **Description** A SQL injection vulnerability exists in the "/api/v1/external-users" route. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption. **Recommendations** For lunary-ai/lunary version v1.4.2, as a temporary workaround, consider disabling the `/api/v1/external-users` route until a patch is available. Restrict access to this route to minimize the risk of exploitation. Avoid using the `orderByClause` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** lunary-ai/lunary version 1.2.34 **Description** A Cross-Site Request Forgery (CSRF) vulnerability exists due to overly permissive CORS settings, allowing an attacker to sign up for and create projects or use the instance as if they were a user with local access. The main attack vector is for instances hosted locally on personal machines, which are not publicly accessible. The CORS settings in the backend permit all origins, exposing unauthenticated endpoints to CSRF attacks. **Recommendations** For lunary-ai/lunary version 1.2.34, consider restricting the CORS settings to only permit necessary origins, and implement proper CSRF protection mechanisms to prevent unauthorized access. As a temporary workaround, consider disabling unauthenticated endpoints until a patch is available. Restrict access to the instance, especially for those hosted locally on personal machines, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** lunary-ai/lunary version 1.2.5 **Description** An improper access control issue exists due to a missing permission check in the "GET /v1/users/me/org" endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This issue allows unauthorized access to sensitive user information, violating intended access controls. **Recommendations** For lunary-ai/lunary version 1.2.5, as a temporary workaround, consider restricting access to the "GET /v1/users/me/org" endpoint until a patch is available. Additionally, review and enforce role definitions to prevent unauthorized access to sensitive user information. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** lunary-ai/lunary version 1.0.1 **Description** A vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions. **Recommendations** For lunary-ai/lunary version 1.0.1, consider implementing a proper token invalidation mechanism upon user removal from an organization to prevent unauthorized access. As a temporary workaround, restrict access to sensitive logs and project details for removed users until a patch is available.