How severe is CVE-2024-5277?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.4 out of 10.

What type of vulnerability is CVE-2024-5277?

This is classified as CWE-640, which is a common weakness in software security.

CVE-2024-5277 - MEDIUM Severity | CVSS 6.4

Vulnerability Description

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.

Related Vulnerabilities

CVE-2016-5997

MEDIUM

CVSS:6.5(Medium)

The web portal in IBM Tealeaf Customer Experience before 8.7.1.8847 FP10, 8.8 before 8.8.0.9049 FP9, 9.0.0 and 9.0.1 before 9.0.1.1117 FP5, 9.0.1A before 9.0.1.5108_9.0.1A FP5, 9.0.2 before 9.0.2.1223...

CWE-6402016

CVE-2017-1000141

MEDIUM

CVSS:6.5(Medium)

An issue was discovered in Mahara before 18.10.0. It mishandled user requests that could discontinue a user's ability to maintain their own account (changing username, changing primary email address, ...

CWE-6402017

CVE-2018-12315

MEDIUM

CVSS:6.5(Medium)

Missing verification of a password in ASUSTOR ADM version 3.1.1 allows attackers to change account passwords without entering the current password.

CWE-6402018

CVE-2019-15749

MEDIUM

CVSS:6.5(Medium)

SITOS six Build v6.2.1 allows a user to change their password and recovery email address without requiring them to confirm the change with their old password. This would allow an attacker with access ...

CWE-6402019

CVE-2021-44839

MEDIUM

CVSS:6.5(Medium)

An issue was discovered in Delta RM 1.2. It is possible to request a new password for any other account using the account ID. Using the /listes/DTsendmaildata/adm_utilisateur/send-mail.json endpoint, ...

CWE-6402021

CVE-2023-5840

MEDIUM

CVSS:6.5(Medium)

Weak Password Recovery Mechanism for Forgotten Password in GitHub repository linkstackorg/linkstack prior to v4.2.9.

CWE-6402023