← voltar
CVE-2024-7456

SQL Injection in lunary-ai/lunary

CVSS 9.8 CRITICALEPSS 1.4%CWE-89
A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Produtos afetados
lunary-ai · lunary-ai/lunary
PoCs públicas encontradas1
githubgithub.com/77Philly/CVE-2024-7456scripts0
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/lunary-ai/lunary/commit/6a0bc201181e0f4a0cc375ccf4ef0d7ae65c8a8ehttps://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4