Home > Vulnerability Database > CVE-2024-5277

Mend.io Vulnerability Database

CVE-2024-5277

Date: June 6, 2024

In lunary-ai/lunary version 1.2.4, a vulnerability exists in the password recovery mechanism where the reset password token is not invalidated after use. This allows an attacker who compromises the recovery token to repeatedly change the password of a victim's account. The issue lies in the backend's handling of the reset password process, where the token, once used, is not discarded or invalidated, enabling its reuse. This vulnerability could lead to unauthorized account access if an attacker obtains the recovery token.

Language: TYPE_SCRIPT

Severity Score

7.5

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-5277

Url: https://huntr.com/bounties/6aaba769-d99c-48cf-90d2-7abad984213d

Url: https://www.mend.io/vulnerability-database/CVE-2024-5277

Severity Score

7.5

Weakness Type (CWE)

Weak Password Recovery Mechanism for Forgotten Password

CWE-640

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-5277

Date: June 6, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?