Lunary Access Control Vulnerability in Checklists POST Endpoint

A vulnerability exists in the Lunary application, specifically in versions prior to 1.4.26, within the checklists.post() endpoint. This vulnerability allows users to create or modify checklists without proper permission validation. The absence of access control enables unauthorized users to bypass intended restrictions and manipulate checklist data. Additionally, the endpoint fails to ensure the uniqueness of the slug field when creating new checklists. This oversight allows attackers to spoof existing checklists by reusing slugs from checklists that already exist, potentially leading to significant data integrity issues by replacing legitimate checklist data with malicious or altered information.

Impact

Exploitation of this vulnerability allows unauthorized users to create checklists without the necessary permissions and to overwrite existing checklists by reusing slugs, causing data integrity problems as legitimate checklist items can be replaced with unauthorized changes.

Reproduction

To reproduce this vulnerability, log into the application as a user with 'viewer' role. Copy the access token from the request headers. Then, send a POST request to the checklists endpoint with a payload that includes a slug, type, and data. After the first checklist is created, send another POST request with the same slug to overwrite the existing checklist.

Remediation

Users can update to Lunary version 1.4.26 or later, where this vulnerability has been fixed.