Description
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
Problem types
Authorization Bypass Through User-Controlled Key
Product status
Any version before 260601-a7d098548
Credits
George Chen
References
github.com/...prism/photoprism/releases/tag/260601-a7d098548 (Release Notes)
github.com/photoprism/photoprism/issues/5619 (Researcher Disclosure)
www.vulncheck.com/...ation-via-put-api-v1-users-uid-endpoint