CVE-2024-6086
Last modified
CVE-2024-6086 is a medium-severity vulnerability rated 4.3/10 on the CVSS scale. In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.. EPSS estimates a 0.41% chance of exploitation in the next 30 days.
Description
In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lunary | Lunary | 1.2.7 |
References
- https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643Exploit, Third Party Advisory
- https://huntr.com/bounties/9e83f63f-c5c1-422f-8010-95c353f0c643Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-6086?
How severe is CVE-2024-6086?
How do I fix CVE-2024-6086?
Are you affected by CVE-2024-6086?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST