Ourphoto@1.4.1 Security Vulnerabilities and Issues — Ourphoto@1.4.1 CVE List

Lucene search

Sz-fujiaOurphoto1.4.1

4 matches found

CVE•added 2022/11/28 10:15 p.m.•61 views

CVE-2022-24190

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accep...

7.5CVSS7.6AI score0.00065EPSS

CVE•added 2022/11/28 10:15 p.m.•52 views

CVE-2022-24187

The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an a...

7.5CVSS7.4AI score0.00089EPSS

CVE•added 2022/11/28 10:15 p.m.•45 views

CVE-2022-24188

The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct obje...

7.5CVSS7.5AI score0.00045EPSS

CVE•added 2022/11/28 10:15 p.m.•45 views

CVE-2022-24189

The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api calls with other use...

6.5CVSS6.3AI score0.00054EPSS