Vulnerabilities > CVE-2022-24189 - Incorrect Authorization vulnerability in Sz-Fujia Ourphoto 1.4.1

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

LOW

Availability impact

NONE

network

low complexity

sz-fujia

CWE-863

NVD

Published: 2022-11-28

Updated: 2022-12-01

Summary

The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.

Vulnerable Configurations

Part	Description	Count
Application	Sz-Fujia SZ Fujia Ourphoto 1.4.1	1

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

References

https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html