Cross-Organization Prompt Deletion via ID Manipulation
A vulnerability in version 1.2.13 allowed users to delete prompts from other organizations by manipulating request parameters. This issue was patched in version 1.2.25.
Remediation Steps
- Update to version 1.2.25 or later.
- Implement additional access control checks to validate the ownership of the resource being deleted.
- Ensure that the projectId parameter is always required and validated in DELETE requests.
- Conduct a thorough review of access control mechanisms to prevent similar issues in other endpoints.
Patch Details
- Fixed Version: 1.2.25
- Patch Commit: https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.