CVE-2024-11300

In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by accessing specific URLs, leading to potential exposure of critical information.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd	Patch
https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4	Exploit
https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

01 Apr 2025, 20:35

Type	Values Removed	Values Added
References	~~() https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd -~~	() https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd - Patch
References	~~() https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4 -~~	() https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4 - Exploit
CWE		NVD-CWE-Other
CPE		cpe:2.3:a:lunary:lunary::::::::
Summary		(es) En lunary-ai/lunary, versiones anteriores a la 1.6.3, existe una vulnerabilidad de control de acceso indebido que permite a un usuario acceder a los datos de los avisos de otro usuario. Este problema afecta a la versión 1.6.2 y a la rama principal. Esta vulnerabilidad permite a usuarios no autorizados acceder a datos confidenciales de los avisos mediante URL específicas, lo que podría exponer información crítica.
First Time		Lunary lunary Lunary
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 6.5

20 Mar 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4 -~~	() https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4 -

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:35

NVD link : CVE-2024-11300

Mitre link : CVE-2024-11300

CVE.ORG link : CVE-2024-11300

JSON object : View

Products Affected

lunary

lunary

CWE

CWE-284

Improper Access Control

NVD-CWE-Other

6.5 /10