Rodber Chevereto Free
Monthly
Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. An unauthenticated attacker who knows a target's numeric user ID can bypass the privacy setting to retrieve all publicly-scoped media and recover the username the victim explicitly chose to hide. No public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. An unauthenticated attacker who knows a target's numeric user ID can bypass the privacy setting to retrieve all publicly-scoped media and recover the username the victim explicitly chose to hide. No public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.