CVE-2024-5478

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.7

Description A Cross-site Scripting (XSS) issue exists due to the application's failure to escape or validate the orgId parameter supplied by the user before incorporating it into the generated response. The endpoint /auth/saml/${org?.id}/metadata generates XML responses for SAML metadata, where the orgId parameter is directly embedded into the XML structure without proper sanitization or validation. This flaw allows an attacker to inject arbitrary JavaScript code into the generated SAML metadata page, leading to potential theft of user cookies or authentication tokens.

Recommendations For lunary-ai/lunary version 1.2.7, as a temporary workaround, consider disabling the /auth/saml/${org?.id}/metadata endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the orgId parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.