In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.
Metrics
Affected Vendors & Products
References
History
Wed, 09 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Lunary
Lunary lunary |
|
CPEs | cpe:2.3:a:lunary:lunary:*:*:*:*:*:*:*:* | |
Vendors & Products |
Lunary
Lunary lunary |
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-06-06T17:46:06.653Z
Updated: 2024-08-01T21:11:12.415Z
Reserved: 2024-05-23T16:37:42.172Z
Link: CVE-2024-5277
Vulnrichment
Updated: 2024-08-01T21:11:12.415Z
NVD
Status : Modified
Published: 2024-06-06T18:15:20.087
Modified: 2024-11-21T09:47:20.217
Link: CVE-2024-5277
Redhat
No data.