LumaSoft fotoShare Cloud Password Bypass Vulnerability in Password-Protected Albums
Vulnerability
A vulnerability allowing unauthorized access to password-protected photo albums has been identified in LumaSoft fotoShare Cloud. This issue arises from client-side password validation, which can be bypassed by unauthenticated attackers. The vulnerability is present in all deployments up to at least August 20, 2025, and no patch is currently available.
Impact
Exploitation of this vulnerability allows remote attackers to access private photos and albums without authorization, bypassing the intended password protection.
Reproduction
To reproduce this vulnerability, access a password-protected album on LumaSoft fotoShare Cloud. The password verification is handled through a client-side JavaScript function that sends the entered password to the server via an AJAX POST request. However, the response is not properly enforced, allowing attackers to manually bypass the password check using the browser console. Once the password validation is bypassed, the album's images can be accessed directly through the album's URL.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.