CVE-2022-24188

Name of the Vulnerable Software and Affected Versions Ourphoto App version 1.4.1

Description The issue concerns the disclosure of clear-text password information for picture frame devices through the "/device/signin" end-point. Specifically, the deviceVideoCallPassword and mqttPassword are returned in clear-text. This is exacerbated by the lack of session management and the presence of insecure direct object references, which allows for the retrieval of password information for other end-users' devices. This information could potentially be used to abuse the video calling functionality offered by many of these devices.

Recommendations For Ourphoto App version 1.4.1, consider disabling the "/device/signin" end-point until a patch is available to prevent the disclosure of clear-text password information. Restrict access to the deviceVideoCallPassword and mqttPassword variables to minimize the risk of exploitation. Avoid using the "/device/signin" end-point for authentication purposes until the issue is resolved.