Primary

Context

Quequnlong Shiyi-Blog Improper Authorization Vulnerability in Photo Album Access

Vulnerability

A critical vulnerability has been identified in Quequnlong Shiyi-Blog versions through 1.2.1. The issue resides in the '/dev-api/api/album/photos/{albumId}' interface, where improper authorization allows users to access confidential photos without password verification, jeopardizing user privacy. This vulnerability can be exploited remotely, and an exploit is publicly available.

Impact

Exploitation of this vulnerability allows unauthorized access to private photo albums, enabling users to view confidential photos without proper authentication.

Reproduction

To reproduce this vulnerability, upload files through the '/api/file/upload' endpoint using directory traversal techniques to bypass authorization. After uploading, access the '/dev-api/api/album/photos/{albumId}' endpoint to retrieve photos from albums without password verification.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Quequnlong Shiyi-Blog Improper Authorization Vulnerability in Photo Album Access

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating