CVE-2024-11300

In lunary-ai/lunary before version 1.6.3, an improper access control vulnerability exists where a user can access prompt data of another user. This issue affects version 1.6.2 and the main branch. The vulnerability allows unauthorized users to view sensitive prompt data by accessing specific URLs, leading to potential exposure of critical information.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd	Patch
https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4	Exploit
https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:*

History

01 Apr 2025, 20:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Lunary Lunary lunary
References	~~() https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4 -~~	() https://huntr.com/bounties/8dca7994-0d92-491e-a419-02adfe23ffa4 - Exploit
References	~~() https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd -~~	() https://github.com/lunary-ai/lunary/commit/79dc370596d979b756f6ea0250d97a2d02385ecd - Patch
CPE		cpe:2.3:a:lunary:lunary::::::::
CWE		NVD-CWE-Other

20 Mar 2025, 15:15

Type	Values Removed	Values Added
CWE	~~CWE-284~~

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:35

NVD link : CVE-2024-11300

Mitre link : CVE-2024-11300

JSON object : View

Products Affected

lunary

lunary

CWE

NVD-CWE-Other

6.5 /10