Lucene search

MitreCVE-2022-24188

HistoryNov 28, 2022 - 10:15 p.m.

CVE-2022-24188

2022-11-2822:15:10

CWE-312

mitre

web.nvd.nist.gov

cve-2022-24188

ourphoto app

clear-text passwords

video calling abuse

insecure direct object references

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

56.5%

JSON

The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.

Affected configurations

Nvd

Node

sz-fujiaourphotoMatch1.4.1

VendorProductVersionCPE
sz-fujiaourphoto1.4.1cpe:2.3:a:sz-fujia:ourphoto:1.4.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sz-fujia	ourphoto	1.4.1	cpe:2.3:a:sz-fujia:ourphoto:1.4.1:::::::*

References

www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html

Social References

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

56.5%

JSON

Related for CVE-2022-24188