U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database

Vulnerability Change Records for CVE-2024-1665

Change History

CVE Translated by huntr.dev 6/07/2024 1:15:49 PM

Action Type Old Value New Value
Removed Translation 
Title: lunary-ai/lunary
Description: lunary-ai/lunary versión 1.0.0 es vulnerable a la creación de evaluaciones no autorizadas debido a que faltan verificaciones del lado del servidor para el estado de la cuenta de usuario durante la creación de la evaluación. Si bien la interfaz de usuario web restringe la creación de evaluaciones a cuentas pagas, el endpoint API del lado del servidor '/v1/evaluations' no verifica si el usuario tiene una cuenta paga, lo que permite a los usuarios con cuentas gratuitas o autohospedadas crear evaluaciones ilimitadas sin actualizar su cuenta. Esta vulnerabilidad se debe a la falta de validación del estado de la cuenta en el proceso de creación de la evaluación.
 

								
								
					

				
			




		

	
		

			 
			

				CVE Modified by huntr.dev 6/07/2024 1:15:49 PM
			



			

				 
					

						Action
						Type
						Old Value
						New Value
					

				
				
					

						Removed
						CVSS V3
						
							
							
								
							
								
huntr.dev AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						CWE
						
							
							
								
							
								
huntr.dev CWE-770

								
							
							
								
							
						
								
							
								

								
								
					

					

						Changed
						Description
						
							
							
								
							
								
lunary-ai/lunary version 1.0.0 is vulnerable to unauthorized evaluation creation due to missing server-side checks for user account status during evaluation creation. While the web UI restricts evaluation creation to paid accounts, the server-side API endpoint '/v1/evaluations' does not verify if the user has a paid account, allowing users with free or self-hosted accounts to create unlimited evaluations without upgrading their account. This vulnerability is due to the lack of account status validation in the evaluation creation process.

								
							
							
								
							
						
								
							
								
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
huntr.dev https://github.com/lunary-ai/lunary/commit/c57cd50fa0477fd2a2efe60810c0099eebd66f54

								
							
							
								
							
						
								
							
								

								
								
					

					

						Removed
						Reference
						
							
							
								
							
								
huntr.dev https://huntr.com/bounties/c0e6299e-ea45-435c-b849-53d50ffc0e83

								
							
							
								
							
						
								
							
								

								
								
					

				
			




		

	
		

			 
			

				CVE Rejected by huntr.dev 6/07/2024 1:15:49 PM
			



			

				 
					

						Action
						Type
						Old Value
						New Value