We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-5277

Weak Password Recovery Mechanism in lunary-ai/lunary



Description

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.

Reserved 2024-05-23 | Published 2024-06-06 | Updated 2024-08-01 | Assigner @huntr_ai


MEDIUM: 6.4CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Problem types

CWE-640 Weak Password Recovery Mechanism for Forgotten Password

Product status

Any version
affected

References

huntr.com/bounties/6aaba769-d99c-48cf-90d2-7abad984213d

cve.org (CVE-2024-5277)

nvd.nist.gov (CVE-2024-5277)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-5277

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.