CVE-2024-11300
Improper Access Control in lunary-ai/lunary
In short
A user could view another user's private prompt data by accessing certain URLs in the Lunary application. This is a serious security problem because it exposes sensitive information that should be kept private.
Technical detail
Improper access control in Lunary versions before 1.6.3 allows horizontal privilege escalation via URL manipulation to retrieve prompt data belonging to other users. The vulnerability requires authentication but no additional pre-conditions; impact includes unauthorized disclosure of confidential prompt information.
Summary generated and translated by AI from the official description.
In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by accessing specific URLs, leading to potential exposure of critical information.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
lunary-ai · lunary-ai/lunaryWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →