CVE-2024-7472

Name of the Vulnerable Software and Affected Versions lunary-ai/lunary version 1.2.26

Description The issue allows an unauthenticated attacker to inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character, such as xa0. This can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage. The vulnerability is present in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup).

Recommendations For version 1.2.26, as a temporary workaround, consider disabling the extractFirstName function or restricting the use of whitespace characters in the affected API endpoints until a patch is available. Avoid using the affected API endpoints (/v1/users/send-verification and /auth/signup) for sending verification emails until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.