CVE-2022-24189 is a medium-severity vulnerability affecting the Ourphoto App version 1.4.1, specifically targeting the /apiv1/* API endpoints. The core issue lies in improper implementation of the user_token authorization header. Normally, this header should be required and validated to authenticate and authorize API requests. However, due to the flawed implementation, removing the user_token header entirely causes the server to bypass authorization and session management checks, allowing all requests to succeed regardless of authentication status. This means an attacker can craft POST API calls without any valid token and impersonate other users by submitting their unique identifiers. Consequently, the attacker can enumerate and retrieve information about all other end-users of the application. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating a failure to enforce proper access controls. The CVSS 3.1 base score is 6.5 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality and integrity (C:L/I:L) with no impact on availability (A:N). No patches or known exploits in the wild have been reported as of the published date (November 28, 2022). This vulnerability exposes sensitive user data and undermines the trustworthiness of the application’s authorization mechanisms, potentially leading to privacy violations and unauthorized data access.

For European organizations using the Ourphoto App version 1.4.1, this vulnerability poses a significant risk to user privacy and data security. Attackers can bypass authentication controls to access personal information of all users, which may include sensitive or personally identifiable information (PII). This could lead to violations of the EU General Data Protection Regulation (GDPR), resulting in legal penalties and reputational damage. The ability to enumerate user data without authentication also increases the risk of targeted phishing, social engineering, or further exploitation. While the vulnerability does not allow direct system compromise or denial of service, the unauthorized disclosure of user information can have severe consequences for organizations handling sensitive customer or employee data. Additionally, if the Ourphoto App is integrated into broader enterprise systems or workflows, this flaw could serve as an entry point for lateral movement or further attacks. The impact is particularly critical for sectors with stringent data protection requirements such as healthcare, finance, and government services within Europe.

1. Immediate mitigation should involve disabling or restricting access to the /apiv1/* endpoints until a proper fix is implemented. 2. Implement strict validation of the user_token authorization header on all API endpoints to ensure that requests without a valid token are rejected. 3. Introduce comprehensive access control checks on the server side to verify that the authenticated user is authorized to access or modify the requested resources. 4. Conduct a thorough code review and security audit of the authorization logic to identify and remediate similar flaws. 5. Deploy monitoring and alerting mechanisms to detect anomalous API usage patterns indicative of unauthorized access or enumeration attempts. 6. If possible, apply rate limiting on API calls to reduce the risk of automated enumeration attacks. 7. Communicate transparently with users about the vulnerability and any potential data exposure, and advise password resets or other protective measures if applicable. 8. Coordinate with the app vendor or development team to obtain and deploy an official patch or update addressing this vulnerability. 9. For organizations integrating Ourphoto App, consider isolating its data and limiting its access to sensitive systems until the vulnerability is resolved.