CVE-2024-1902

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-821
View all →

Vulnerability Description

lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to check if a user is still part of an organization before allowing them to make changes. An attacker can exploit this by using an old authorization token to send a PATCH request, modifying the organization's name even after being removed from the organization. This issue is due to incorrect synchronization and affects the orgs.patch route.

Related Vulnerabilities

CVE-2024-1739

HIGH
CVSS:7.5(High)

lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insen...

CWE-8212024

CVE-2023-5088

HIGH
CVSS:7.0(High)

A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for...

CWE-8212023

CVE-2024-7043

HIGH
CVSS:8.1(High)

An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowi...

CWE-8212024

CVE-2024-6657

MEDIUM
CVSS:6.5(Medium)

A denial of service may be caused to a single peripheral device in a BLE network when multiple central devices continuously connect and disconnect to the peripheral. A hard reset is required to recove...

CWE-8212024

CVE-2022-1931

CRITICAL
CVSS:9.1(Critical)

Incorrect Synchronization in GitHub repository polonel/trudesk prior to 1.2.3.

CWE-8212022

CVE-2022-1931

CRITICAL
CVSS:9.1(Critical)

Incorrect Synchronization in GitHub repository polonel/trudesk prior to 1.2.3.

CWE-8212022