THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-5277

Weak Password Recovery Mechanism in lunary-ai/lunary

Reserved:2024-05-23
Published:2024-06-06
Updated:2024-06-06

Description

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.



MEDIUM: 6.4CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-640 Weak Password Recovery Mechanism for Forgotten Password

Product status

Any version
affected

References

https://huntr.com/bounties/6aaba769-d99c-48cf-90d2-7abad984213d

cve.org CVE-2024-5277

nvd.nist.gov CVE-2024-5277

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-5277