exploitDog

CVE-2022-24189

Опубликовано: 28 нояб. 2022

Источник: nvd

CVSS3: 6.5

EPSS Низкий

Описание

The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.

Ссылки

https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html
Exploit
Technical Description
Third Party Advisory
https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html
Exploit
Technical Description
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:sz-fujia:ourphoto:1.4.1:*:*:*:*:*:*:*

EPSS

Процентиль: 47%

0.00238

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-863

CWE-863

Связанные уязвимости

GHSA-x859-4wp8-g67f

CVSS3: 6.5

github

около 3 лет назад

The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.

EPSS

Процентиль: 47%

0.00238

Низкий

6.5 Medium

CVSS3

Дефекты

CWE-863

CWE-863