CVE-2022-24189
MEDIUMOurphoto 1.4.1 - Incorrect Authorization via Missing User Token
Title source: llmDescription
The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.
References (1)
Core 1
Core References
Exploit, Technical Description, Third Party Advisory
https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html
Scores
CVSS v3
6.5
EPSS
0.0051
EPSS Percentile
39.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
sz-fujia/ourphoto
1.4.1
Published
Nov 28, 2022
Tracked Since
Feb 18, 2026