CWE-1125
ProhibitedExcessive Attack Surface
Abstraction: Base · Status: Incomplete
The product has an attack surface whose quantitative measurement exceeds a desirable maximum.
8 vulnerabilities reference this CWE, most recent first.
CVE-2024-5386 (GCVE-0-2024-5386)
Vulnerability from cvelistv5 – Published: 2026-02-02 10:36 – Updated: 2026-02-02 17:46- CWE-1125 - Excessive Attack Surface
| Vendor | Product | Version | |
|---|---|---|---|
| lunary-ai | lunary-ai/lunary |
Affected:
unspecified , < 1.2.14
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5386",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-02T17:46:01.274264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T17:46:17.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lunary-ai/lunary",
"vendor": "lunary-ai",
"versions": [
{
"lessThan": "1.2.14",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a \u0027viewer\u0027 role can exploit this vulnerability to hijack another user\u0027s account by obtaining the password reset token. The vulnerability is triggered when the \u0027viewer\u0027 role user sends a specific request to the server, which responds with a password reset token in the \u0027recoveryToken\u0027 parameter. This token can then be used to reset the password of another user\u0027s account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1125",
"description": "CWE-1125 Excessive Attack Surface",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T10:36:23.506Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1"
},
{
"url": "https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311"
}
],
"source": {
"advisory": "602eb4a1-305d-46d6-b975-5a5d8b040ad1",
"discovery": "EXTERNAL"
},
"title": "Account Hijacking via Password Reset Token Leak in lunary-ai/lunary"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2024-5386",
"datePublished": "2026-02-02T10:36:23.506Z",
"dateReserved": "2024-05-25T19:37:51.776Z",
"dateUpdated": "2026-02-02T17:46:17.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-0435 (GCVE-0-2023-0435)
Vulnerability from cvelistv5 – Published: 2023-01-22 00:00 – Updated: 2025-04-02 15:50- CWE-1125 - Excessive Attack Surface
| Vendor | Product | Version | |
|---|---|---|---|
| pyload | pyload/pyload |
Affected:
unspecified , < 0.5.0b3.dev41
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:10:56.243Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-0435",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-02T15:49:55.092645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-02T15:50:20.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "pyload/pyload",
"vendor": "pyload",
"versions": [
{
"lessThan": "0.5.0b3.dev41",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1125",
"description": "CWE-1125 Excessive Attack Surface",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-22T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d"
},
{
"url": "https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3"
}
],
"source": {
"advisory": "a3e32ad5-caee-4f43-b10a-4a876d4e3f1d",
"discovery": "EXTERNAL"
},
"title": "Excessive Attack Surface in pyload/pyload"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-0435",
"datePublished": "2023-01-22T00:00:00.000Z",
"dateReserved": "2023-01-22T00:00:00.000Z",
"dateUpdated": "2025-04-02T15:50:20.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2037 (GCVE-0-2022-2037)
Vulnerability from cvelistv5 – Published: 2022-06-09 08:20 – Updated: 2024-08-03 00:24- CWE-1125 - Excessive Attack Surface
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/4431ef84-93f2-4bc5-bc1… | x_refsource_CONFIRM |
| https://github.com/tooljet/tooljet/commit/fadf025… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| tooljet | tooljet/tooljet |
Affected:
unspecified , < v1.16.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:24:44.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/4431ef84-93f2-4bc5-bc1a-97d7f229b28e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tooljet/tooljet/commit/fadf025365823cbbc739a1313791c0a04621972b"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tooljet/tooljet",
"vendor": "tooljet",
"versions": [
{
"lessThan": "v1.16.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Excessive Attack Surface in GitHub repository tooljet/tooljet prior to v1.16.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1125",
"description": "CWE-1125 Excessive Attack Surface",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-09T08:20:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/4431ef84-93f2-4bc5-bc1a-97d7f229b28e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tooljet/tooljet/commit/fadf025365823cbbc739a1313791c0a04621972b"
}
],
"source": {
"advisory": "4431ef84-93f2-4bc5-bc1a-97d7f229b28e",
"discovery": "EXTERNAL"
},
"title": "Excessive Attack Surface in tooljet/tooljet",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-2037",
"STATE": "PUBLIC",
"TITLE": "Excessive Attack Surface in tooljet/tooljet"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "tooljet/tooljet",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "v1.16.0"
}
]
}
}
]
},
"vendor_name": "tooljet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Excessive Attack Surface in GitHub repository tooljet/tooljet prior to v1.16.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1125 Excessive Attack Surface"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/4431ef84-93f2-4bc5-bc1a-97d7f229b28e",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/4431ef84-93f2-4bc5-bc1a-97d7f229b28e"
},
{
"name": "https://github.com/tooljet/tooljet/commit/fadf025365823cbbc739a1313791c0a04621972b",
"refsource": "MISC",
"url": "https://github.com/tooljet/tooljet/commit/fadf025365823cbbc739a1313791c0a04621972b"
}
]
},
"source": {
"advisory": "4431ef84-93f2-4bc5-bc1a-97d7f229b28e",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-2037",
"datePublished": "2022-06-09T08:20:12.000Z",
"dateReserved": "2022-06-09T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:24:44.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-1715 (GCVE-0-2022-1715)
Vulnerability from cvelistv5 – Published: 2022-05-13 17:10 – Updated: 2024-08-03 00:10- CWE-1125 - Excessive Attack Surface
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/58918962-ccb5-47f9-bb4… | x_refsource_CONFIRM |
| https://github.com/neorazorx/facturascripts/commi… | x_refsource_MISC |
| Vendor | Product | Version | |
|---|---|---|---|
| neorazorx | neorazorx/facturascripts |
Affected:
unspecified , < 2022.07
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:10:03.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/58918962-ccb5-47f9-bb43-ffd8cae1ef24"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/neorazorx/facturascripts/commit/714bebf4c35e3eedda138f5ee912a8031bc8b1ab"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "neorazorx/facturascripts",
"vendor": "neorazorx",
"versions": [
{
"lessThan": "2022.07",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1125",
"description": "CWE-1125 Excessive Attack Surface",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-13T17:10:10.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/58918962-ccb5-47f9-bb43-ffd8cae1ef24"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/neorazorx/facturascripts/commit/714bebf4c35e3eedda138f5ee912a8031bc8b1ab"
}
],
"source": {
"advisory": "58918962-ccb5-47f9-bb43-ffd8cae1ef24",
"discovery": "EXTERNAL"
},
"title": "Account Takeover in neorazorx/facturascripts",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-1715",
"STATE": "PUBLIC",
"TITLE": "Account Takeover in neorazorx/facturascripts"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "neorazorx/facturascripts",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2022.07"
}
]
}
}
]
},
"vendor_name": "neorazorx"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.07."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1125 Excessive Attack Surface"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/58918962-ccb5-47f9-bb43-ffd8cae1ef24",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/58918962-ccb5-47f9-bb43-ffd8cae1ef24"
},
{
"name": "https://github.com/neorazorx/facturascripts/commit/714bebf4c35e3eedda138f5ee912a8031bc8b1ab",
"refsource": "MISC",
"url": "https://github.com/neorazorx/facturascripts/commit/714bebf4c35e3eedda138f5ee912a8031bc8b1ab"
}
]
},
"source": {
"advisory": "58918962-ccb5-47f9-bb43-ffd8cae1ef24",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-1715",
"datePublished": "2022-05-13T17:10:10.000Z",
"dateReserved": "2022-05-13T00:00:00.000Z",
"dateUpdated": "2024-08-03T00:10:03.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-6JMX-PV77-WM5W
Vulnerability from github – Published: 2023-01-23 00:30 – Updated: 2023-02-01 09:20Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pyload-ng"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.0b3.dev41"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-0435"
],
"database_specific": {
"cwe_ids": [
"CWE-1125"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-23T20:40:31Z",
"nvd_published_at": "2023-01-22T22:15:00Z",
"severity": "CRITICAL"
},
"details": "Excessive Attack Surface in GitHub repository pyload/pyload prior to 0.5.0b3.dev41.",
"id": "GHSA-6jmx-pv77-wm5w",
"modified": "2023-02-01T09:20:27Z",
"published": "2023-01-23T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0435"
},
{
"type": "WEB",
"url": "https://github.com/pyload/pyload/commit/431ea6f0371d748df66b344a05ca1a8e0310cff3"
},
{
"type": "PACKAGE",
"url": "https://github.com/pyload/pyload"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/a3e32ad5-caee-4f43-b10a-4a876d4e3f1d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Excessive Attack Surface in pyload-ng"
}
GHSA-9HW3-GF6M-6PWV
Vulnerability from github – Published: 2024-01-09 12:30 – Updated: 2024-01-09 12:30Network port 8899 open in WiFi firmware of BCC101/BCC102/BCC50 products, that allows an attacker to connect to the device via same WiFi network.
{
"affected": [],
"aliases": [
"CVE-2023-49722"
],
"database_specific": {
"cwe_ids": [
"CWE-1125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T10:15:20Z",
"severity": "HIGH"
},
"details": "Network port 8899 open in WiFi firmware of BCC101/BCC102/BCC50 products, that allows an attacker to connect to the device via same WiFi network.",
"id": "GHSA-9hw3-gf6m-6pwv",
"modified": "2024-01-09T12:30:36Z",
"published": "2024-01-09T12:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49722"
},
{
"type": "WEB",
"url": "https://psirt.bosch.com/security-advisories/BOSCH-SA-473852.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R75X-2FCV-J4PM
Vulnerability from github – Published: 2026-02-02 12:31 – Updated: 2026-02-02 12:31In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. The vulnerability is triggered when the 'viewer' role user sends a specific request to the server, which responds with a password reset token in the 'recoveryToken' parameter. This token can then be used to reset the password of another user's account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.
{
"affected": [],
"aliases": [
"CVE-2024-5386"
],
"database_specific": {
"cwe_ids": [
"CWE-1125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-02T11:16:16Z",
"severity": "CRITICAL"
},
"details": "In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a \u0027viewer\u0027 role can exploit this vulnerability to hijack another user\u0027s account by obtaining the password reset token. The vulnerability is triggered when the \u0027viewer\u0027 role user sends a specific request to the server, which responds with a password reset token in the \u0027recoveryToken\u0027 parameter. This token can then be used to reset the password of another user\u0027s account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts.",
"id": "GHSA-r75x-2fcv-j4pm",
"modified": "2026-02-02T12:31:14Z",
"published": "2026-02-02T12:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5386"
},
{
"type": "WEB",
"url": "https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VJQ3-X3F2-FVXQ
Vulnerability from github – Published: 2022-05-14 00:01 – Updated: 2022-05-25 19:25Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.08 due to improper type casting.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "facturascripts/facturascripts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2022.08"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-1715"
],
"database_specific": {
"cwe_ids": [
"CWE-1125",
"CWE-522"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-25T19:25:29Z",
"nvd_published_at": "2022-05-13T17:15:00Z",
"severity": "CRITICAL"
},
"details": "Account Takeover in GitHub repository neorazorx/facturascripts prior to 2022.08 due to improper type casting.",
"id": "GHSA-vjq3-x3f2-fvxq",
"modified": "2022-05-25T19:25:29Z",
"published": "2022-05-14T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1715"
},
{
"type": "WEB",
"url": "https://github.com/neorazorx/facturascripts/commit/714bebf4c35e3eedda138f5ee912a8031bc8b1ab"
},
{
"type": "PACKAGE",
"url": "https://github.com/neorazorx/facturascripts"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/58918962-ccb5-47f9-bb43-ffd8cae1ef24"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Account takeover in facturascripts"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.