39 matches found
EUVD-2022-29101
Malicious code in bioql PyPI...
EUVD-2022-29098
Malicious code in bioql PyPI...
EUVD-2022-29099
Malicious code in bioql PyPI...
EUVD-2022-29100
Malicious code in bioql PyPI...
CVE-2022-24188
The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct...
CVE-2022-24189
The usertoken authorization header on the Ourphoto App version 1.4.1 /apiv1/ end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other use...
CVE-2022-24187
The userid and deviceid on the Ourphoto App version 1.4.1 /device/ end-points both suffer from insecure direct object reference vulnerabilities. Other end-users userid and deviceid values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an...
CVE-2022-24190
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The usertoken header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to acce...
CVE-2022-24190
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The usertoken header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to acce...
CVE-2022-24187
The userid and deviceid on the Ourphoto App version 1.4.1 /device/ end-points both suffer from insecure direct object reference vulnerabilities. Other end-users userid and deviceid values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an...
CVE-2022-24189
The usertoken authorization header on the Ourphoto App version 1.4.1 /apiv1/ end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other use...
CVE-2022-24190
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The usertoken header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to acce...
CVE-2022-24189
The usertoken authorization header on the Ourphoto App version 1.4.1 /apiv1/ end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other use...
CVE-2022-24188
The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct...
CVE-2022-24187
The userid and deviceid on the Ourphoto App version 1.4.1 /device/ end-points both suffer from insecure direct object reference vulnerabilities. Other end-users userid and deviceid values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an...
CVE-2022-24188
The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct...
Authentication flaw
The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The usertoken header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to acce...
Authorization
The usertoken authorization header on the Ourphoto App version 1.4.1 /apiv1/ end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other use...
Design/Logic Flaw
The userid and deviceid on the Ourphoto App version 1.4.1 /device/ end-points both suffer from insecure direct object reference vulnerabilities. Other end-users userid and deviceid values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an...
PT-2022-16529 · Unknown · Ourphoto App
Name of the Vulnerable Software and Affected Versions: Ourphoto App version 1.4.1 Description: The issue concerns the improper implementation of the user token authorization header on the /apiv1/ API endpoints. This allows an attacker to bypass authorization and session management by removing the...