CVE-2022-24189

Name of the Vulnerable Software and Affected Versions Ourphoto App version 1.4.1

Description The issue concerns the improper implementation of the user token authorization header on the /apiv1/* API endpoints. This allows an attacker to bypass authorization and session management by removing the user token value, causing all requests to succeed. As a result, an attacker can make POST API calls with other users' unique identifiers, potentially enumerating information of all other end-users.

Recommendations For Ourphoto App version 1.4.1, consider temporarily disabling the /apiv1/* API endpoints until a proper fix is implemented to prevent unauthorized access. Additionally, restrict access to sensitive user information to minimize the risk of exploitation. Avoid using the user token authorization header in the affected API endpoints until the issue is resolved.