Lychee
Monthly
SQL operator-precedence bug in Lychee prior to 7.5.4 allows authenticated users with upload permission to bypass ownership filters and retrieve all user-group-based sharing permissions across the instance, including private albums owned by other users. The vulnerability exists in SharingController::listAll() where an orWhereNotNull clause escapes the ownership filter applied by a when() block. This affects any non-admin user who owns at least one album, creating an information disclosure risk that exposes sharing metadata for the entire Lychee instance.
Lychee photo management tool versions before 7.1.0 contain an authorization bypass in the album password unlock mechanism that allows authenticated users to access multiple password-protected albums by unlocking just one that shares the same password. Public exploit code exists for this vulnerability. Administrators should upgrade to version 7.1.0 or later to prevent unauthorized access to protected photo collections.
SQL operator-precedence bug in Lychee prior to 7.5.4 allows authenticated users with upload permission to bypass ownership filters and retrieve all user-group-based sharing permissions across the instance, including private albums owned by other users. The vulnerability exists in SharingController::listAll() where an orWhereNotNull clause escapes the ownership filter applied by a when() block. This affects any non-admin user who owns at least one album, creating an information disclosure risk that exposes sharing metadata for the entire Lychee instance.
Lychee photo management tool versions before 7.1.0 contain an authorization bypass in the album password unlock mechanism that allows authenticated users to access multiple password-protected albums by unlocking just one that shares the same password. Public exploit code exists for this vulnerability. Administrators should upgrade to version 7.1.0 or later to prevent unauthorized access to protected photo collections.