N/A

The /device/acceptBind end-point for Ourphoto App version 1.4.1 does not require authentication or authorization. The user_token header is not implemented or present on this end-point. An attacker can send a request to bind their account to any users picture frame, then send a POST request to accept their own bind request, without the end-users approval or interaction.

N/A

N/A

Shenzhen Fujia Technology OurPhoto 安全漏洞

Shenzhen Fujia Technology OurPhoto是中国Shenzhen Fujia Technology公司的一个云相框软件。可以直接在手机上共享照片和视频文件。 Shenzhen Fujia Technology OurPhoto 1.4.1版本存在安全漏洞，该漏洞源于其/device/acceptBind端点不需要身份验证或授权。user_token头没有实现，也没有出现在这个端点上导致攻击者可以发送一个请求将他们的帐户绑定到任何用户的图片框，然后发送一个POST请求接受他们自己的

N/A

N/A