Vulnerability — CVE-2024-7456

CVE-2024-7456

Reference to the description:: https://nvd.nist.gov/vuln/detail/CVE-2024-7456
Description:: A SQL injection vulnerability exists in the `/api/v1/external-users` route of lunary-ai/lunary version v1.4.2. The `order by` clause of the SQL query uses `sql.unsafe` without prior sanitization, allowing for SQL injection. The `orderByClause` variable is constructed without server-side validation or sanitization, enabling an attacker to execute arbitrary SQL commands. Successful exploitation can lead to complete data loss, modification, or corruption.
Last updated date:: 11/06/2024

Type:: exploit
Confidence:: HIGH
Date of publishing:: 11/06/2024
Reference url to background: https://huntr.com/bounties/bfb3015e-5642-4d94-ab49-e8b49c4e07e4