The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other users unique identifiers and enumerate information of all other end-users.
References
Link | Resource |
---|---|
https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html | Exploit Technical Description Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-11-28T00:00:00
Updated: 2022-11-28T00:00:00
Reserved: 2022-01-31T00:00:00
Link: CVE-2022-24189
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-11-28T22:15:10.513
Modified: 2022-12-01T23:20:26.607
Link: CVE-2022-24189
JSON object: View
Redhat Information
No data.
CWE