| |
Vulnerability CVE-2024-4153
Published: 2024-05-22
| Description: |
A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to bypass user creation limits and potentially evade payment requirements. The issue arises from an undefined behavior when handling input to the API, specifically through a POST request to the /v1/users endpoint. By crafting a request with a new user's email and assigning them an 'admin' role, attackers can invite additional users beyond the set limit. This vulnerability could be exploited to add an unlimited number of users without adhering to the intended restrictions. |
Type:
CWE-475 (Undefined Behavior for Input to API)
References: |
https://huntr.com/bounties/336db0ae-fe33-44b9-ba9d-bf117e0d90c4
|
|
|
Copyright 2024, cxsecurity.com
|
|
|
