1Oopho1E

**Name of the Vulnerable Software and Affected Versions** Ourphoto App version 1.4.1 **Description** The issue affects the `/device/*` end-points, where the `user id` and `device id` values suffer from insecure direct object reference vulnerabilities. An attacker can enumerate other end-users' `user id` and `device id` values by incrementing or decrementing id numbers, allowing them to discover sensitive information such as end-user email addresses and their unique `frame token` value. **Recommendations** For Ourphoto App version 1.4.1, consider restricting access to the `/device/*` end-points to minimize the risk of exploitation. As a temporary workaround, avoid using the `user id` and `device id` parameters in the affected end-points until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ourphoto App version 1.4.1 **Description** The issue concerns the disclosure of clear-text password information for picture frame devices through the "/device/signin" end-point. Specifically, the `deviceVideoCallPassword` and `mqttPassword` are returned in clear-text. This is exacerbated by the lack of session management and the presence of insecure direct object references, which allows for the retrieval of password information for other end-users' devices. This information could potentially be used to abuse the video calling functionality offered by many of these devices. **Recommendations** For Ourphoto App version 1.4.1, consider disabling the "/device/signin" end-point until a patch is available to prevent the disclosure of clear-text password information. Restrict access to the `deviceVideoCallPassword` and `mqttPassword` variables to minimize the risk of exploitation. Avoid using the "/device/signin" end-point for authentication purposes until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ourphoto App version 1.4.1 **Description** The issue concerns the improper implementation of the `user token` authorization header on the `/apiv1/*` API endpoints. This allows an attacker to bypass authorization and session management by removing the `user token` value, causing all requests to succeed. As a result, an attacker can make POST API calls with other users' unique identifiers, potentially enumerating information of all other end-users. **Recommendations** For Ourphoto App version 1.4.1, consider temporarily disabling the `/apiv1/*` API endpoints until a proper fix is implemented to prevent unauthorized access. Additionally, restrict access to sensitive user information to minimize the risk of exploitation. Avoid using the `user token` authorization header in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ourphoto App version 1.4.1 **Description** The issue concerns the "/device/acceptBind" end-point, which does not require authentication or authorization. Specifically, the `user token` header is not implemented or present on this end-point. This allows an attacker to send a request to bind their account to any user's picture frame and then accept their own bind request without the end-user's approval or interaction. **Recommendations** For Ourphoto App version 1.4.1, consider disabling the "/device/acceptBind" end-point until a patch is available that implements proper authentication and authorization, including the use of the `user token` header. Restrict access to this end-point to minimize the risk of exploitation. Avoid using this end-point until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.