CVE-2024-1740

CRITICAL Year: 2024
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-863
View all →

Vulnerability Description

In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user removed from an organization can still read, create, modify, and delete logs by re-using an old authorization token. The lunary web application communicates with the server using an 'Authorization' token in the browser, which does not properly invalidate upon the user's removal from the organization. This allows the removed user to perform unauthorized actions on logs and access project and external user details without valid permissions.

Related Vulnerabilities

CVE-2010-2548

CRITICAL
CVSS:9.1(Critical)

IcedTea6 before 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files.

CWE-8632010

CVE-2013-1350

CRITICAL
CVSS:9.1(Critical)

Verax NMS prior to 2.1.0 has multiple security bypass vulnerabilities

CWE-8632013

CVE-2018-7245

CRITICAL
CVSS:9.1(Critical)

An improper authorization vulnerability exists In Schneider Electric's 66074 MGE Network Management Card Transverse installed in MGE UPS and MGE STS. The integrated web server (Port 80/443/TCP) of the...

CWE-8632018

CVE-2020-7692

CRITICAL
CVSS:9.1(Critical)

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee...

CWE-8632020

CVE-2021-26040

CRITICAL
CVSS:9.1(Critical)

An issue was discovered in Joomla! 4.0.0. The media manager does not correctly check the user's permissions before executing a file deletion command.

CWE-8632021

CVE-2021-29943

CRITICAL
CVSS:9.1(Critical)

When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client cr...

CWE-8632021