Sightline

Critical

lunary

IDOR Vulnerability Allowing View/Delete of External Users

An IDOR vulnerability in version 1.3.2 allows authenticated users to view or delete external users by manipulating the user ID in the request. This issue was patched in version 1.3.4.

Available publicly on Sep 29 2024 | Available with Premium on Aug 24 2024

CVE:

CVE-2024-7474

CWE:

284:Improper Access Control

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Credit:

meme-dm

Assess Detect

Premium

Remediate

Remediation Steps

Update to version 1.3.4 or later.
Implement proper access control checks to ensure that users can only access or modify their own records.
Validate and sanitize user input to prevent manipulation of ID parameters.
Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.

Patch Details

Fixed Version: 1.3.4
Patch Commit: https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 508- related security advisories that are available with Sightline Premium.