Description
In version 1.3.2 of lunary-ai/lunary, an Insecure Direct Object Reference (IDOR) vulnerability exists. A user can view or delete external users by manipulating the 'id' parameter in the request URL. The application does not perform adequate checks on the 'id' parameter, allowing unauthorized access to external user data.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory
https://huntr.com/bounties/95d8b993-3347-4ef5-a2b3-1f57219b7871
Scores
CVSS v3
8.1
EPSS
0.0025
EPSS Percentile
48.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-639
Status
published
Products (1)
lunary/lunary
< 1.3.4
Published
Oct 29, 2024
Tracked Since
Feb 18, 2026