PT-2024-35957 · Lunary+1 · Lunary+1
Published
2024-10-17
·
Updated
2026-02-11
·
CVE-2024-5386
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
lunary-ai/lunary version 1.2.2
Description
A security issue exists in lunary-ai/lunary version 1.2.2 that allows account hijacking. A user with a 'viewer' role can obtain a password reset token by sending a specific request to the server. The token is returned in the
recoveryToken parameter. This token can then be used to reset the password of another user's account without authorization, leading to account takeover. The root cause is an excessive attack surface that allows lower-privileged users to escalate their privileges.Recommendations
Apply a fix to prevent 'viewer' role users from obtaining password reset tokens.
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lunary
Lunary-Ai/Lunary