High

lunary

CSRF on User Signup Endpoint

A Cross-Site Request Forgery (CSRF) vulnerability was identified in version 1.2.34 of the software, allowing attackers to exploit overly permissive CORS settings to sign up and create projects as if they had local access. This issue was patched in version 1.4.10.

Available publicly on Sep 11 2024

7.4

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Credit:

patrik-ha
Remediation Steps
  • Update to version 1.4.10 or later.
  • Restrict CORS settings to only allow requests from trusted origins.
  • Implement CSRF tokens for all state-changing requests.
  • Regularly review and update security settings to adhere to best practices.
Patch Details
  • Fixed Version: 1.4.10
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/3451fcd7b9d95e9091d62c515752f39f2faa6e54
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.