How severe is CVE-2024-1626?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-1626?

This is classified as CWE-639, which is a common weakness in software security.

CVE-2024-1626 - CRITICAL Severity | CVSS 9.1

Vulnerability Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly referencing the project's ID in the PATCH request to the '/v1/projects/:projectId' endpoint. This issue arises because the endpoint does not verify if the provided project ID belongs to the currently authenticated user, enabling unauthorized modifications across different organizational projects.

Related Vulnerabilities

CVE-2019-17382

CRITICAL

CVSS:9.1(Critical)

An issue was discovered in zabbix.php?action=dashboard.view&dashboardid=1 in Zabbix through 4.4. An attacker can bypass the login page and access the dashboard page, and then create a Dashboard, Repor...

CWE-6392019

CVE-2019-17574

CRITICAL

CVSS:9.1(Critical)

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or p...

CWE-6392019

CVE-2019-19755

CRITICAL

CVSS:9.1(Critical)

ethOS through 1.3.3 ships with SSH host keys baked into the installation image, which allows man-in-the-middle attacks and makes identification of all public IPv4 nodes trivial with Shodan.io. NOTE: a...

CWE-6392019

CVE-2021-32654

CRITICAL

CVSS:9.1(Critical)

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. ...

CWE-6392021

CVE-2022-1165

CRITICAL

CVSS:9.1(Critical)

The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be...

CWE-6392022

CVE-2022-36247

CRITICAL

CVSS:9.1(Critical)

Shop Beat Solutions (Pty) LTD Shop Beat Media Player 2.5.95 up to 3.2.57 is vulnerable to IDOR via controlpanel.shopbeat.co.za.

CWE-6392022