CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2022-24188

The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of insecure direct object references allows to return password information for other end-users devices. Many of the picture frame devices offer video calling, and it is likely this information can be used to abuse that functionality.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 13.9%

CVSS Severity

CVSS v3 Score 7.5

References

https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html
https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html

Products affected by CVE-2022-24188

Sz-Fujia » Ourphoto » Version: 1.4.1

cpe:2.3:a:sz-fujia:ourphoto:1.4.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2022-24188

Products

Pricing

Contact Us