Bobdahacker

**Name of the Vulnerable Software and Affected Versions** Petlibro Smart Pet Feeder Platform versions up to 1.7.31 **Description** The Petlibro Smart Pet Feeder Platform is subject to an authentication bypass. Unauthenticated attackers can gain access to any user account by exploiting flaws in the OAuth token validation process within the social login system. Attackers can send requests to the `/member/auth/thirdLogin` API endpoint with manipulated `Google ID` and `phoneBrand` parameters to acquire full session tokens and account access, circumventing standard OAuth verification procedures. **Recommendations** Versions prior to 1.7.31 should be updated. As a temporary workaround, restrict access to the `/member/auth/thirdLogin` API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Petlibro Smart Pet Feeder Platform versions up to 1.7.31 **Description** The Petlibro Smart Pet Feeder Platform is affected by an authorization bypass. This allows unauthorized users to add themselves as shared owners to any device. The issue is due to missing permission checks when processing requests to the device share API. An attacker can exploit this to gain unauthorized access to devices and view owner information without proper authorization. **Recommendations** Update to a version later than 1.7.31.

**Name of the Vulnerable Software and Affected Versions** Petlibro Smart Pet Feeder Platform versions up to 1.7.31 **Description** The Petlibro Smart Pet Feeder Platform is affected by an information disclosure issue. This allows unauthorized access to private audio recordings. The issue stems from exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to the `/device/deviceAudio/use` API endpoint with arbitrary audio IDs to assign recordings to any device. Subsequently, attackers can retrieve audio URLs to access recordings belonging to other users. The vulnerable parameter is the audio ID used in the request to the `/device/deviceAudio/use` endpoint. **Recommendations** Update to a version later than 1.7.31.

**Name of the Vulnerable Software and Affected Versions** Petlibro Smart Pet Feeder Platform versions up to 1.7.31 **Description** The Petlibro Smart Pet Feeder Platform is affected by an improper access control issue. The platform allows unauthorized device manipulation by accepting arbitrary serial numbers without verifying ownership. An attacker can control any device by sending serial numbers to device control APIs. This allows them to change feeding schedules, trigger manual feeds, access camera feeds, and modify device settings without authorization checks. The vulnerable API endpoints are used for device control. The vulnerable parameter is the serial number. **Recommendations** Versions prior to 1.7.31 should be updated.

**Name of the Vulnerable Software and Affected Versions** Petlibro Smart Pet Feeder Platform versions up to 1.7.31 **Description** The Petlibro Smart Pet Feeder Platform is affected by an information disclosure issue. This allows unauthorized access to device hardware information. An attacker can obtain device serial numbers and MAC addresses by exploiting insecure API endpoints. The `/device/devicePetRelation/getBoundDevices` API endpoint is vulnerable, allowing retrieval of information using pet IDs. This enables full device control without proper authorization. **Recommendations** Update to a version later than 1.7.31.

**Name of the Vulnerable Software and Affected Versions** Petlibro Smart Pet Feeder Platform versions up to 1.7.31 **Description** An access control issue exists in the Petlibro Smart Pet Feeder Platform that allows authorized users to view data belonging to other users. This occurs because of a lack of proper ownership verification. An attacker can send requests to the `/member/pet/detailV2` API endpoint with arbitrary pet IDs to obtain sensitive information, including pet details, member IDs, and avatar URLs, without authorization. The `pet ID` variable is used in the request to access the data. **Recommendations** Versions prior to 1.7.31 should be updated.