Critical

lunary

IDOR Vulnerability Allowing View/Delete of External Users

An IDOR vulnerability in version 1.3.2 allows authenticated users to view or delete external users by manipulating the user ID in the request. This issue was patched in version 1.3.4.

Available publicly on Sep 29 2024

9.1

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Credit:

meme-dm
Remediation Steps
  • Update to version 1.3.4 or later.
  • Implement proper access control checks to ensure that users can only access or modify their own records.
  • Validate and sanitize user input to prevent manipulation of ID parameters.
  • Conduct regular security audits and code reviews to identify and fix similar vulnerabilities.
Patch Details
  • Fixed Version: 1.3.4
  • Patch Commit: https://github.com/lunary-ai/lunary/commit/8f563c77d8614a72980113f530c7a9ec15a5f8d5
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.