Exploit
CVE-2024-7472

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (CWE-75)

Published: Oct 29, 2024 / Updated: 21d ago

010
CVSS 6.5EPSS 0.04%Medium
CVE info copied to clipboard

Summary

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage.

Impact

The vulnerability allows an unauthenticated attacker to inject malicious content into outgoing emails. This can lead to several severe consequences: 1. Phishing attacks: Attackers can manipulate email content to deceive recipients, potentially leading to credential theft or malware installation. 2. Brand damage: Malicious emails sent from the organization's domain can harm its reputation and trustworthiness. 3. Legal and compliance issues: Unauthorized email manipulation may violate data protection regulations and privacy laws. 4. Financial impact: Unauthorized use of the email system can result in increased costs and potential fines from regulatory bodies. The CVSS base score of 6.5 (Medium severity) indicates a significant risk, especially considering the potential for widespread impact through email-based attacks.

Exploitation

One proof-of-concept exploit is available on huntr.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in a commit on GitHub (https://github.com/lunary-ai/lunary/commit/a39837d7c49936a0c435d241f37ca2ea7904d2cd) as of October 31, 2024.

Mitigation

1. Update lunary-ai/lunary to a version newer than 1.2.26 that includes the security fix. 2. Implement input validation and sanitization for all user-supplied data, especially in email-related functions. 3. Use a robust email templating system that properly escapes special characters. 4. Implement additional security measures such as rate limiting and logging for email-related APIs. 5. Regularly audit and test email-related functionalities for potential injection vulnerabilities. 6. Consider implementing DMARC, SPF, and DKIM to improve email security and reduce the risk of email-based attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Timeline

CVE Assignment

NVD published the first details for CVE-2024-7472

Oct 29, 2024 at 1:15 PM
First Article

Feedly found the first article mentioning CVE-2024-7472. See article

Oct 29, 2024 at 1:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 29, 2024 at 1:22 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 30, 2024 at 10:18 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Oct 31, 2024 at 6:50 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 31, 2024 at 9:11 PM
Static CVE Timeline Graph

Affected Systems

Lunary/lunary
+null more

Exploits

https://huntr.com/bounties/dc1feec6-1efb-4538-9b56-ab25deb80948
+null more

Patches

github.com
+null more

Links to Mitre Att&cks

T1070: Indicator Removal on Host
+null more

Attack Patterns

CAPEC-81: Web Logs Tampering
+null more

News

CVE-2024-7472 Exploit
CVE Id : CVE-2024-7472 Published Date: 2024-10-31T18:46:00+00:00 lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage. inTheWild added a link to an exploit: https://huntr.com/bounties/dc1feec6-1efb-4538-9b56-ab25deb80948
cveNotify : 🚨 CVE-2024-7472lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage.🎖@cveNotify
cveNotify : 🚨 CVE-2024-7472lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage.🎖@cveNotify
NA - CVE-2024-7472 - lunary-ai/lunary v1.2.26 contains an email...
lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can...
CVE-2024-7472 | lunary-ai lunary up to 1.4.9 API send-verification extractFirstName special elements into a different plane (special element injection)
A vulnerability, which was classified as problematic , was found in lunary-ai lunary up to 1.4.9 . This affects the function extractFirstName of the file /v1/users/send-verification of the component API . The manipulation leads to failure to sanitize special elements into a different plane (special element injection). This vulnerability is uniquely identified as CVE-2024-7472 . It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-7472 - Lunary AI Email Injection Vulnerability
CVE ID : CVE-2024-7472 Published : Oct. 29, 2024, 1:15 p.m. 20 minutes ago Description : lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API (/v1/users/send-verification) and Sign up API (/auth/signup). An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace character (e.g., \xa0). This vulnerability can be exploited to conduct phishing attacks, damage the application's brand, cause legal and compliance issues, and result in financial impact due to unauthorized email usage. Severity:
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI