Description

VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.

Related CPE's

a

veryfitpro_project

veryfitpro

2

References

http://veryfitpro.com

Not ApplicableThird Party AdvisoryURL Repurposed

http://www.i-doo.cn

Not Applicable

https://github.com/martinfrancois/CVE-2021-36460

ExploitMitigationThird Party Advisory

Weaknesses

[email protected]

Primary
CWE-287

CVSS impact metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2022-04-25T13:15:49.330

3 years ago

Last modified

2024-02-14T01:17:43.863

1 year ago