Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/39152?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39152?format=api", "vulnerability_id": "VCID-4km7-d7p5-cuh4", "summary": "A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before incorporating it into the generated response. Specifically, the endpoint generates XML responses for SAML metadata, where the `orgId` parameter is directly embedded into the XML structure without proper sanitization or validation. This flaw allows an attacker to inject arbitrary JavaScript code into the generated SAML metadata page, leading to potential theft of user cookies or authentication tokens.", "aliases": [ { "alias": "CVE-2024-5478" }, { "alias": "GHSA-rpx8-fg6w-rm6x" } ], "fixed_packages": [], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/721388?format=api", "purl": "pkg:npm/lunary@0.6.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/721389?format=api", "purl": "pkg:npm/lunary@0.6.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/721390?format=api", "purl": "pkg:npm/lunary@0.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/721391?format=api", "purl": "pkg:npm/lunary@0.6.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/721392?format=api", "purl": "pkg:npm/lunary@0.6.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/721393?format=api", "purl": "pkg:npm/lunary@0.6.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/721394?format=api", "purl": "pkg:npm/lunary@0.6.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/721395?format=api", "purl": "pkg:npm/lunary@0.6.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.9" }, { "url": "http://public2.vulnerablecode.io/api/packages/721396?format=api", "purl": "pkg:npm/lunary@0.6.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.10" }, { "url": "http://public2.vulnerablecode.io/api/packages/721397?format=api", "purl": "pkg:npm/lunary@0.6.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/721398?format=api", "purl": "pkg:npm/lunary@0.6.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/721399?format=api", "purl": "pkg:npm/lunary@0.6.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/721400?format=api", "purl": "pkg:npm/lunary@0.6.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/721401?format=api", "purl": "pkg:npm/lunary@0.6.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.6.16" }, { "url": "http://public2.vulnerablecode.io/api/packages/721402?format=api", "purl": "pkg:npm/lunary@0.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/721403?format=api", "purl": "pkg:npm/lunary@0.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/721404?format=api", "purl": "pkg:npm/lunary@0.7.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/721405?format=api", "purl": "pkg:npm/lunary@0.7.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/721406?format=api", "purl": "pkg:npm/lunary@0.7.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/721407?format=api", "purl": "pkg:npm/lunary@0.7.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/721408?format=api", "purl": "pkg:npm/lunary@0.7.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/721409?format=api", "purl": "pkg:npm/lunary@0.7.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/721410?format=api", "purl": "pkg:npm/lunary@0.7.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" }, { "vulnerability": "VCID-84xy-jwx1-hkct" }, { "vulnerability": "VCID-gwzm-yh7v-gych" }, { "vulnerability": "VCID-k265-w6ct-wub6" }, { "vulnerability": "VCID-mtp3-perh-xkca" }, { "vulnerability": "VCID-qf2j-8svv-xkfk" }, { "vulnerability": "VCID-r75n-chup-a7a8" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@0.7.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/32039?format=api", "purl": "pkg:npm/lunary@1.2.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4km7-d7p5-cuh4" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/lunary@1.2.7" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5478", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60193", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60305", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.603", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00386", "scoring_system": "epss", "scoring_elements": "0.60311", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5478" }, { "reference_url": "https://github.com/lunary-ai/lunary", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lunary-ai/lunary" }, { "reference_url": "https://github.com/lunary-ai/lunary/blob/main/packages/backend/src/api/v1/auth/saml.ts#L34", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lunary-ai/lunary/blob/main/packages/backend/src/api/v1/auth/saml.ts#L34" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5478", "reference_id": "CVE-2024-5478", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5478" }, { "reference_url": "https://huntr.com/bounties/e899f496-d493-4c06-b596-cb0a88ad451b", "reference_id": "e899f496-d493-4c06-b596-cb0a88ad451b", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-07T19:01:54Z/" } ], "url": "https://huntr.com/bounties/e899f496-d493-4c06-b596-cb0a88ad451b" }, { "reference_url": "https://github.com/advisories/GHSA-rpx8-fg6w-rm6x", "reference_id": "GHSA-rpx8-fg6w-rm6x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rpx8-fg6w-rm6x" } ], "weaknesses": [ { "cwe_id": 79, "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "description": "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4km7-d7p5-cuh4" }