CVE-2024-1665 – lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to …

16 April 2024

Vuln ID: CVE-2024-1665

Published: 2024-04-16 00:15:10.150

Description: lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint ‘/v1/evaluations’ does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process.

Base Score: –

Vector:

Source: NVD.NIST.GOV

Date:

16 April 2024

Categorie(s):

NVD

Tag(s):

NVD

UK outlaws awful default passwords on connected devices29 April 2024
Account compromise of “unprecedented scale” uses everyday home devices29 April 2024
Connected devices with awful default passwords now illegal in UK29 April 2024
Chrome users report broken connections after Chrome 124 release29 April 2024
Impact of cybersecurity organizational structure on ransomware outcomes: The most successful models29 April 2024