Trek
Monthly
Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.
TREK collaborative travel planner versions before 2.7.2 serve uploaded user photos without authentication, allowing unauthenticated remote attackers to enumerate and access private photo collections through direct URL access. The vulnerability is restricted to information disclosure with low impact due to attack complexity constraints, though it exposes sensitive travel-related imagery that users expect to be private.
Authentication bypass in TREK collaborative travel planner (versions prior to 2.7.2) allows authenticated attackers with low privileges to access and modify trip photos without proper authorization. The missing authorization checks on Immich trip photo management routes enable unauthorized data access (high confidentiality impact) and limited integrity compromise. Exploitation requires authenticated access but no user interaction, exploitable remotely over network with low attack complexity.
TREK collaborative travel planner versions before 2.7.2 serve uploaded user photos without authentication, allowing unauthenticated remote attackers to enumerate and access private photo collections through direct URL access. The vulnerability is restricted to information disclosure with low impact due to attack complexity constraints, though it exposes sensitive travel-related imagery that users expect to be private.