CVE-2024-7472

MEDIUM Year: 2024
CVSS v3 Score
5.3
Medium
Weakness Type
CWE-75
View all →

Vulnerability Description

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage.

Related Vulnerabilities

CVE-2024-9940

MEDIUM
CVSS:5.3(Medium)

The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from sub...

CWE-752024

CVE-2022-3607

MEDIUM
CVSS:6.0(Medium)

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository octoprint/octoprint prior to 1.8.3.

CWE-752022

CVE-2024-31806

MEDIUM
CVSS:6.5(Medium)

TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization.

CWE-752024

CVE-2024-31812

MEDIUM
CVSS:6.5(Medium)

In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig.

CWE-752024

CVE-2022-4721

MEDIUM
CVSS:6.6(Medium)

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository ikus060/rdiffweb prior to 2.5.5.

CWE-752022

CVE-2024-27622

HIGH
CVSS:7.2(High)

A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-sup...

CWE-752024