CVE-2018-20371

Name of the Vulnerable Software and Affected Versions PhotoRange Photo Vault version 1.2

Description The issue allows remote attackers to bypass intended GET restrictions via a brute-force approach. This is because the password is appended to the URI for authorization. For example, attackers can use "GET /login.html passwd1" and "GET /login.html passwd2" and so on to bypass restrictions.

Recommendations For PhotoRange Photo Vault version 1.2, consider modifying the authorization mechanism to prevent passwords from being appended to the URI, thereby preventing brute-force attacks. As a temporary workaround, restrict access to the login endpoint to minimize the risk of exploitation.