VYPR
Vendor

Ourphoto

Products
1
CVEs
4
Across products
4
Status
Private

Products

1

Recent CVEs

4
  • CVE-2022-24190HigNov 28, 2022
    risk 0.49cvss 7.5epss 0.01

    The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a…

  • CVE-2022-24188HigNov 28, 2022
    risk 0.49cvss 7.5epss 0.00

    The /device/signin end-point for the Ourphoto App version 1.4.1 discloses clear-text password information for functionality within the picture frame devices. The deviceVideoCallPassword and mqttPassword are returned in clear-text. The lack of sessions management and presence of…

  • CVE-2022-24187HigNov 28, 2022
    risk 0.49cvss 7.5epss 0.01

    The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this…

  • CVE-2022-24189MedNov 28, 2022
    risk 0.42cvss 6.5epss 0.01

    The user_token authorization header on the Ourphoto App version 1.4.1 /apiv1/* end-points is not implemented properly. Removing the value causes all requests to succeed, bypassing authorization and session management. The impact of this vulnerability allows an attacker POST api…