How severe is CVE-2024-5248?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-5248?

This is classified as CWE-862, which is a common weakness in software security.

CVE-2024-5248 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

In lunary-ai/lunary version 1.2.5, an improper access control vulnerability exists due to a missing permission check in the `GET /v1/users/me/org` endpoint. The platform's role definitions restrict the `Prompt Editor` role to prompt management and project viewing/listing capabilities, explicitly excluding access to user information. However, the endpoint fails to enforce this restriction, allowing users with the `Prompt Editor` role to access the full list of users in the organization. This vulnerability allows unauthorized access to sensitive user information, violating the intended access controls.

Related Vulnerabilities

CVE-2013-3703

MEDIUM

CVSS:6.5(Medium)

The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project met...

CWE-8622013

CVE-2013-4226

MEDIUM

CVSS:6.5(Medium)

The Authenticated User Page Caching (Authcache) module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to cached pages, which allows remote attackers with the same role-combination...

CWE-8622013

CVE-2017-15680

MEDIUM

CVSS:6.5(Medium)

In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which allows unauthenticated attackers to view and modify administrative data.

CWE-8622017

CVE-2017-6564

MEDIUM

CVSS:6.5(Medium)

On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest user, which contains the lowest privileges, can post to the idSourceFileName parameter found within the /download directory. This a...

CWE-8622017

CVE-2017-6923

MEDIUM

CVSS:6.5(Medium)

In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoi...

CWE-8622017

CVE-2018-11785

MEDIUM

CVSS:6.5(Medium)

Missing authorization check in Apache Impala before 3.0.1 allows a Kerberos-authenticated but unauthorized user to inject random data into a running query, leading to wrong results for a query.

CWE-8622018