Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-site Scripting (XSS) in SAML metadata endpoint in lunary-ai/lunary
Vulnerability Description
A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata endpoint `/auth/saml/${org?.id}/metadata` of lunary-ai/lunary version 1.2.7. The vulnerability arises due to the application's failure to escape or validate the `orgId` parameter supplied by the user before incorporating it into the generated response. Specifically, the endpoint generates XML responses for SAML metadata, where the `orgId` parameter is directly embedded into the XML structure without proper sanitization or validation. This flaw allows an attacker to inject arbitrary JavaScript code into the generated SAML metadata page, leading to potential theft of user cookies or authentication tokens.
CVSS Information
N/A
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Lunary 跨站脚本漏洞
Vulnerability Description
Lunary是lunary开源的一个 LLM 的生产工具包。 Lunary 1.2.7版本存在跨站脚本漏洞,该漏洞源于应用程序未能转义或验证用户提供的orgId参数,允许攻击者注入任意JavaScript代码,从而可能窃取用户cookie或身份验证令牌。
CVSS Information
N/A
Vulnerability Type
N/A