An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are part of a social platform on which users expect to find one another.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 04 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Thu, 04 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-639
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 01 Sep 2025 21:30:00 +0000

Type Values Removed Values Added
Description An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are part of a social platform on which users expect to find one another.

Thu, 28 Aug 2025 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:reolink:reolink:4.54.0.4.20250526:*:*:*:*:android:*:*

Sat, 23 Aug 2025 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Reolink
Reolink reolink
Vendors & Products Reolink
Reolink reolink

Fri, 22 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 22 Aug 2025 17:00:00 +0000

Type Values Removed Values Added
Description An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-09-04T14:37:30.597Z

Reserved: 2025-08-13T00:00:00.000Z

Link: CVE-2025-55621

cve-icon Vulnrichment

Updated: 2025-08-22T17:51:35.740Z

cve-icon NVD

Status : Modified

Published: 2025-08-22T17:15:33.023

Modified: 2025-09-04T15:15:47.327

Link: CVE-2025-55621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-23T11:53:09Z