CVE-2022-24189
CVSS V2 None
CVSS V3 None
Description
The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.
Overview
- CVE ID
- CVE-2022-24189
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-28T22:15:10.513
- Last Modified Date
- 2022-12-01T23:20:26.607
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:sz-fujia:ourphoto:1.4.1:*:*:*:*:*:*:* | 1 | OR |
References
| Reference URL | Reference Tags |
|---|---|
| https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html | Exploit Technical Description Third Party Advisory |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-24189 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24189 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-07 18:05:22 | Added to TrackCVE |