CVE-2024-7472

MEDIUM EPSS 33.5%
Published Oct 29, 20241y ago · Modified Jun 17, 20261w ago
6.5 CVSS 3.1
Medium
Find Similar
Published Oct 29, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage.

CVSS Details

Base Score
6.5
Exploitability
2.8
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
33.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-74
CWE-93

Affected Products 1

VendorProductVersionRange
lunarylunary1.2.26any

References 2

  • github.com https://github.com/lunary-ai/lunary/commit/a39837d7c49936a0c435d241f37ca2ea7904d2cd
    Patch
  • huntr.com https://huntr.com/bounties/dc1feec6-1efb-4538-9b56-ab25deb80948
    ExploitThird Party Advisory

Remediation

  • github.com https://github.com/lunary-ai/lunary/commit/a39837d7c49936a0c435d241f37ca2ea7904d2cd
    Patch