CVE-2024-5277
published 2024-06-06CVE-2024-5277: In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This…
PriorityP345high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
EPSS
0.35%
27.2th percentile
In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lunary-ai | lunary-ai_lunary | unspecified – latest | — |
| lunary | lunary | < 1.4.9 | 1.4.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.06.4MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-06-06
Published