CVE-2022-24190

Name of the Vulnerable Software and Affected Versions Ourphoto App version 1.4.1

Description The issue concerns the "/device/acceptBind" end-point, which does not require authentication or authorization. Specifically, the user token header is not implemented or present on this end-point. This allows an attacker to send a request to bind their account to any user's picture frame and then accept their own bind request without the end-user's approval or interaction.

Recommendations For Ourphoto App version 1.4.1, consider disabling the "/device/acceptBind" end-point until a patch is available that implements proper authentication and authorization, including the use of the user token header. Restrict access to this end-point to minimize the risk of exploitation. Avoid using this end-point until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.