A misconfiguration of RSA in PingID Windows Login prior to 2.7 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass.

**

Applications

**

Download PingID as a mobile application for your iOS or Android device, or as a simple and secure desktop application for macOS or Windows. Fully managed by Ping, these applications help enterprises provide convenient security factors that ensure their employees and partners are who they say they are.

**

Mobile

**

**

Desktop

**

SHA256 590269efe33ddf94cfaee5e5a45cf96afb14bf4493781d95d0f355530cee872b Copied!

SHA256 3ae57cb2b2847c2522ca13a926d1e8e5926c22c086ee97521da4e7562e4240c9 Copied!

**

SDK Integration Kit

**

The PingID SDK is a multi-factor authentication (MFA) solution for your customers that prioritizes security and convenience. For MFA, it allows you to send push notifications from your own mobile application, or to send one-time passcodes (OTPs) via email, SMS or voice. It also includes the ability to login with a QR code to give your customers passwordless and usernameless authentication. This integration kit has everything you need to deploy the PingID SDK standalone or with PingFederate. The download includes:

*   **A mobile SDK** to embed secure, user-friendly MFA into your own mobile app (including server-side and mobile sample apps).
    
*   **A PingFederate adapter** that allows you to trigger MFA from PingFederate policies.
    
*   **A PingFederate connector** to provision and manage user lifecycles in the PingID SDK.
    

_\* By downloading the PingID SDK Integration Kit you agree to the license terms._

**DOCUMENTATION**

Admins | Developers

**

Integrations

**

You can integrate PingID with a wide variety of products and services.  

Start Today

See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.

CVE-2021-41992: PingID Downloads

A misconfiguration of RSA in PingID Android app prior to 1.19 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass when using PingID Windows Login.

This document

All documents

This document

Contents

Loading...

CVE-2021-41993: Ping Identity Documentation Portal

Red Planet Laundry Management System 1.0 is vulnerable to SQL Injection.

**About Us**

We **Red Planet Computers** has started development in Laundry Management System in 2017. We have 7+ years experience in development, customization and implementation Web, Mobile application Services.

*   Well and Experienced Staff.
*   User Friendly Services
*   24x7 remote support servies

Our team have hands-on experience in all aspects of IT planning, deployment, operational management and maintenance support. Our design consultants design solutions that fit best within your environment and help achieve your laundry business goals – working with you as trusted advisors to help determine the best solution for your laundry business.

See More

**Development Skills**

**Laundry Management System Developed in following skills**

Our professional and experience developers team are used skill to the top most computer launguages and framworks for ui design, developement, making user friendly and secure laundry application for small business.

Boostrap & CSS _Website and Admin UI Design_

Javascript & Ajax _Website Development_

PHP Codeigniter & Mysqli _Website and Admin Panel_

Flutter, Swift and Kotlin _Android, iOS Mobile App_

**Screenshots**

Here some application UI screens to help you how its look and work LMS Application

*   Admin
*   Website
*   Mobile

**Pricing**

**RPL Standard Package  
(Point Of Sale\*)****INR 30K USD $399/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS Screen Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI
*   One Year Free Service & Updates.

Buy Now

**RPL Professional Package  
(E-Commerce\*)****INR 50K USD $649/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS+E-Comm Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)
*   One Year Free Service & Updates.

Buy Now

**RPL Development Package  
(Customization\*\*)****Extra 50% POS+50% (OR) E-Commerce+50%**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS/E-Commerce Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)         \[ as per your requirements\*\* \]
*   One Year Free Service & Updates.

Buy Now

\* Terms and Conditions apply (see FAQ section )  
\*\* Cost may vary depends on the customization

**Frequently Asked Questions**

Here are some of the most Frequently Asked Questions for Laundry Management Systems.

*   Can we get all liceses for lifetime ?
    
    Ans : Yes, if you purchase application with full source code then it's one-time payment and you will get multiple digital license \[lifetime\]. The amount is non-refundable , Once if you have got full source code then you will not getting return amount for any circumstances.
    
*   After purchase full source code can we sell this software ?
    
    Ans : Yes, after purchase application with full source code then you can use or sell anywhere with remove red planet computers company logo and name.
    
*   Can you will provide full source code ?
    
    Ans : Yes, you should have to pay 100% amount, if you want application with full source code. We will send full source code (zip or download link ) within half hours after successfully payment done. We will not provide any kind of equipment. Only RPL Business Package we will not provide source files.
    
*   What is **RPL Development / Customization Package** ?
    
    Ans : If you want manipulation or any changes in application through our professional developer team then you will have to pay selected (standard or professional) package amount plus extra 50% amount for manipulation charges. **Firstly, you have to pay 70% amount of total amount** and remaining 30% amount to pay after project completed, but note that in this period you will not getting full source code, you will getting our web hosting softwares link for testing, after completed project and 100% payment done then we will upload full source code in your website/web hosting server or send full source code link).  
    \- As per your requirement, project will be completed within 20-25 days or earlier.  
    \- Bulk SMS, Payment Gateway, Apple App Store, Google Map API & Play Store Console charges you will have to pay, if you are require.
    
*   Service and Support ?
    
    Ans : We will provide a FREE technical support upto one year after purchase LMS Application. We will answer your question regarding website management, technical details or anything about operating your own website; we can provide this through remotly in 24x7 Hours.
    

**Free Trail Full Version**

Not required fill any personal information or credit card details just click on button and login it

Username : admin  
Password : 1234  
\[ Admin Login Details \]

  
Best view in Desktop or Laptop

Mobile : 8767228990  
Password : 1983  
\[ Demo User Login Details \]

  
Best view in Desktop or Laptop

User Mobile : 8767228990  
Driver Mobile : 1234567890  
\[ Demo User / Driver Login Details \]

   
iOS app install : Download and Extract zip in Mac-OS then drag-drop .app file on Xcode 10+ simulator or connected iphone {iOS v10.0+}.

**Contact**

You can call to us 24x7 regarding Laundry Management System enquiry or solutions

**Location:**

B-02, Sai Sanklap Complex, Survey No. 145/0,  
Usarli Khurd, Panvel, Mumbai, India 410206

**Call:**

Mobile : +91 87672 28990.  
Whatsapp : +91 87672 28990.  
Skype : rpcits2013 / +918767228990.

CVE-2022-28452: Better solutions for Small Laundry and Dry Cleaning Business

**About Us**

We **Red Planet Computers** has started development in Laundry Management System in 2017. We have 7+ years experience in development, customization and implementation Web, Mobile application Services.

*   Well and Experienced Staff.
*   User Friendly Services
*   24x7 remote support servies

Our team have hands-on experience in all aspects of IT planning, deployment, operational management and maintenance support. Our design consultants design solutions that fit best within your environment and help achieve your laundry business goals – working with you as trusted advisors to help determine the best solution for your laundry business.

See More

**Development Skills**

**Laundry Management System Developed in following skills**

Our professional and experience developers team are used skill to the top most computer launguages and framworks for ui design, developement, making user friendly and secure laundry application for small business.

Boostrap & CSS _Website and Admin UI Design_

Javascript & Ajax _Website Development_

PHP Codeigniter & Mysqli _Website and Admin Panel_

Flutter, Swift and Kotlin _Android, iOS Mobile App_

**Screenshots**

Here some application UI screens to help you how its look and work LMS Application

*   Admin
*   Website
*   Mobile

**Pricing**

**RPL Standard Package  
(Point Of Sale\*)****INR 25K USD $349/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS Screen Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI
*   One Year Free Service & Updates.

Buy Now

**RPL Professional Package  
(E-Commerce\*)****INR 45K USD $599/- for lifetime**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS+E-Comm Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)
*   One Year Free Service & Updates.

Buy Now

**RPL Development Package  
(Customization\*\*)****Extra 50% POS+50% (OR) E-Commerce+50%**

*   **Full 100% Source Code  
    Free Source Code for testing Click Here**
*   **License - Lifetime (25 Years)**
*   **Payment - One Time Payment** \[No need Renew/Payment every year\]
*   **Install - Unlimited Devices**
*   Bootstrap Admin Panel
*   Multi-Store Management
*   Multi-user Management
*   POS/E-Commerce Management
*   Multi-Launguage Management
*   Barcode Tag Management
*   POS/Laser Printer Management
*   Discount/Taxes Management
*   World Currency Management
*   Wallet/Credit Management
*   Laundry Packages Management
*   SMS, Email Management
*   Profit/Loss Reports
*   Daily/Monthly Reports
*   Mobile(Android, iOS) App
*   Customer / Driver App
*   Customer Front-End Website
*   Payment Gateway
*   Customized UI (Mobile, Website)         \[ as per your requirements\*\* \]
*   One Year Free Service & Updates.

Buy Now

\* Terms and Conditions apply (see FAQ section )  
\*\* Cost may vary depends on the customization

**Frequently Asked Questions**

Here are some of the most Frequently Asked Questions for Laundry Management Systems.

*   Can we get all liceses for lifetime ?
    
    Ans : Yes, if you purchase application with full source code then it's one-time payment and you will get multiple digital license \[lifetime\]. The amount is non-refundable , Once if you have got full source code then you will not getting return amount for any circumstances.
    
*   After purchase full source code can we sell this software ?
    
    Ans : Yes, after purchase application with full source code then you can use or sell anywhere with remove red planet computers company logo and name.
    
*   Can you will provide full source code ?
    
    Ans : Yes, you should have to pay 100% amount, if you want application with full source code. We will send full source code (zip or download link ) within half hours after successfully payment done. We will not provide any kind of equipment. Only RPL Business Package we will not provide source files.
    
*   What is **RPL Development / Customization Package** ?
    
    Ans : If you want manipulation or any changes in application through our professional developer team then you will have to pay selected (standard or professional) package amount plus extra 50% amount for manipulation charges. **Firstly, you have to pay 70% amount of total amount** and remaining 30% amount to pay after project completed, but note that in this period you will not getting full source code, you will getting our web hosting softwares link for testing, after completed project and 100% payment done then we will upload full source code in your website/web hosting server or send full source code link).  
    \- As per your requirement, project will be completed within 20-25 days or earlier.  
    \- Bulk SMS, Payment Gateway, Apple App Store, Google Map API & Play Store Console charges you will have to pay, if you are require.
    
*   Service and Support ?
    
    Ans : We will provide a FREE technical support upto one year after purchase LMS Application. We will answer your question regarding website management, technical details or anything about operating your own website; we can provide this through remotly in 24x7 Hours.
    

**Free Trail Full Version**

Not required fill any personal information or credit card details just click on button and login it

Username : admin  
Password : 1234  
\[ Admin Login Details \]

  
Best view in Desktop or Laptop

Mobile : 8767228990  
Password : 1983  
\[ Demo User Login Details \]

  
Best view in Desktop or Laptop

User Mobile : 8767228990  
Driver Mobile : 1234567890  
\[ Demo User / Driver Login Details \]

   
iOS app install : Download and Extract zip in Mac-OS then drag-drop .app file on Xcode 10+ simulator or connected iphone {iOS v10.0+}.

**Contact**

You can call to us 24x7 regarding Laundry Management System enquiry or solutions

**Location:**

B-02, Sai Sanklap Complex, Survey No. 145/0,  
Usarli Khurd, Panvel, Mumbai, India 410206

**Call:**

Mobile : +91 87672 28990.  
Whatsapp : +91 87672 28990.  
Skype : rpcits2013 / +918767228990.

Plus: Microsoft patched some 100 flaws, while Oracle issued more than 500 security fixes.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.

Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Oracle’s April 2022 Critical Patch Update

In mid-April, Oracle released its quarterly Critical Patch Update, including a whopping 520 security fixes. Some of the issues fixed in the update are serious—300 of them can be exploited remotely without authentication, and 75 security issues are rated as critical severity. Some of the Oracle patches address CVE-2022-22965, aka Spring4Shell, a remote code execution (RCE) flaw in the spring framework.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

WordPress Plugin Elementor Version 3.6.3 

The Elementor website builder plug-in for WordPress has received a big security fix in April for a critical-rated vulnerability that could allow attackers to perform remote code execution and effectively take over a website.

Found by researchers at Plugin Vulnerabilities, the flaw was introduced in the plug-in in version 3.6.0, released on March 22. “We would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers said.

Although the attacker must be authenticated to exploit the issue, it’s still pretty serious because anyone logged into an affected website can exploit it. The update for Elementor’s 5 million users, version 3.6.3, should be applied as soon as possible.

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   This startup wants to watch your brain
*   The artful, subdued translations of modern pop
*   Netflix doesn't need a password-sharing crackdown
*   How to revamp your workflow with block scheduling
*   The end of astronauts—and the rise of robots
*   👁️ Explore AI like never before with our new database
*   ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers

You Need to Update iOS, Android, and Chrome Right Now

Google has been busy. After introducing badges for browser apps, it's also launched its "nutrition labels" for apps.
The post Google Play’s Data safety section empowers Android users to make informed app choices appeared first on Malwarebytes Labs.

Google has launched its new “nutrition labels” for apps, a feature it promised in the spring of 2021. This release came days after the Chrome team released badges for the Chrome Web Store for browser extensions.

The company said in a blog post that it’s rolling out the labels—which it calls the Google Play Data safety section—gradually to users.

The labels are released weeks ahead of the July 20 deadline, the date when developers are required to adequately disclose what their apps do. This includes what data they collect, how it is shared with third parties (if ever), and how they secure user data. “We heard from users and app developers that displaying the data an app collects, without additional context, is not enough,” Google said.

Indeed, the search giant followed Apple’s lead when it introduced app privacy labels in its App Store in December 2020.

The Data safety section’s design relied heavily on feedback from Android users, who also want to know for what purpose their data is collected and whether app developers are sharing it. Google added information on whether an app needs data to function or if data collection is optional. Below is a list of other information that developers can show in the Data safety section of their apps:

> – Whether a qualifying app has committed to following Google Play’s Families Policy to better protect children in the Play store.  
> – Whether the developer has validated their security practices against a global security standard (more specifically, the MASVS).

While this new feature is in place so Android users can make informed choices when it comes to trusting an app with their data, it’s still up to developers to disclose what their apps are capable of. Google said that if it finds a developer misstating their app’s features, the company will ask them to fix it instead of removing the app straight away. Action is only taken if the app remains uncompliant.

We will see if Google does a better job implementing its labels than Apple. If you recall, many labels in the App Store were found to be unreliable as they provided false information.

Here is the Google Play Help page for the Data safety section if you want to read more.

Google Play’s Data safety section empowers Android users to make informed app choices

Turtlapp Turtle Note v0.7.2.6 does not filter the <meta> tag during markdown parsing, allowing attackers to execute HTML injection.

Press Releases | 24 March 2022

**HTML Injection vulnerability found in Turtl Notes, disclosed by Cyber Citadel researchers, could affect iOS and Android users**.

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed an HTML Injection vulnerability found in the Turtl Notes application, which could lead to a potential RCE and NTLMv2 hash disclosure via abusing the arbitrary URI schemes.

Turtl Notes user interface

**Turtl Notes**

Turtl Notes is a cross-platform application that focuses on note-taking collaboration. The online service provides users with a notebook sharing platform that allows notes to be organised easily, synchronised across devices, shared with other Turtl users and shared via email. The application has been downloaded 10,000+ times on Google Play and an unknown number of times from the Turtl’s website for Windows, OSX, Linux, Android and iOS.

While Turtl encrypts user data, with an impressive 2,048-bit key encryption system, and boasts the implementation of high-grade firewalls, that protect from DDoS attacks, the HTML Injection vulnerability, found by Rafay Baloch and Muhammad Samak, has exposed a critical flaw in Turtl’s software.

Turtl remote code execution POC

Evidence of Turtle RCE vulnerability

Evidence of Turtle RCE vulnerability

**Response from Vendors**

Vendor

Service

Version

Platform

Reported Date

Fixed

CVE

Turtl

Turtl Notes

0.7.2.6

Windows, Mac, Linux, Android

11/12/2021

N/A

Processing

CVE-2022-28101: HTML Injection Leading to RCE in Turtl - Cyber Citadel

Zepp version 6.1.4-play suffers from a user account enumeration flaw in the password reset function.

# Trovent Security Advisory 2108-02 #  
#####################################

User account enumeration in password reset function  
###################################################

Overview  
########

Advisory ID: TRSA-2108-02  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2108-02  
Affected product: Zepp Android mobile application (com.huami.watch.hmwatchmanager)  
Tested versions: Zepp 6.1.4-play  
Vendor: Huami Inc., https://www.zepp.com  
Credits: Trovent Security GmbH, Karima Hebbal

Detailed description  
####################

Zepp is a mobile application to collect health information from Zepp or Amazfit  
devices.  
Trovent Security GmbH discovered a user account enumeration vulnerability in  
the password reset function of the Zepp mobile application.  
This vulnerability allows to check if a user with a specific email address is  
registered or not.

Severity: Medium  
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)  
CWE ID: CWE-204  
CVE ID: N/A

Proof of concept  
################

Sample HTTP request sent with a registered email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DELETE /registrations/ptesttest33%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2  
Host: api-user.huami.com  
App_name: com.huami.midong  
Accept-Language: en-US  
X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)  
Accept-Encoding: gzip, deflate  
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The server response to a valid email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP/2 202 Accepted  
Date: Mon, 30 Aug 2021 12:38:52 GMT  
Content-Type: application/json  
Content-Length: 39  
Vary: Origin  
Vary: Access-Control-Request-Method  
Vary: Access-Control-Request-Headers

"HuaMi Oauth / User Registration 2.0.2"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sample HTTP request sent with a non-registered email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DELETE /registrations/false%40gmail.com/password?region=us-west-2&marketing=AmazFit HTTP/2  
Host: api-user.huami.com  
App_name: com.huami.midong  
Accept-Language: en-US  
X-Request-Id: a8a25f6c-e392-4013-b39d-d8b68db532a0  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; ONEPLUS A6003 Build/QKQ1.190716.003)  
Accept-Encoding: gzip, deflate  
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The server response to an invalid email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP/2 404 Not Found  
Date: Mon, 30 Aug 2021 12:40:08 GMT  
Content-Type: application/json  
Content-Length: 39  
Vary: Origin  
Vary: Access-Control-Request-Method  
Vary: Access-Control-Request-Headers

"HuaMi Oauth / User Registration 2.0.2"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution / Workaround  
#####################

Ensure the application returns a consistent message for both existent and  
non-existent accounts during the password reset process.

History  
#######

2021-08-30: Vulnerability found & advisory created  
2021-09-24: Vendor contacted  
2021-10-25: Vendor contacted again  
2021-11-18: Vendor contacted again  
2022-04-27: No reaction from vendor, advisory published

Zepp 6.1.4-play User Account Enumeration

Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#android