VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
References
Link | Resource |
---|---|
http://veryfitpro.com | Not Applicable Third Party Advisory URL Repurposed |
http://www.i-doo.cn | Not Applicable |
https://github.com/martinfrancois/CVE-2021-36460 | Exploit Mitigation Third Party Advisory |
http://veryfitpro.com | Not Applicable Third Party Advisory URL Repurposed |
http://www.i-doo.cn | Not Applicable |
https://github.com/martinfrancois/CVE-2021-36460 | Exploit Mitigation Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 06:13
Type | Values Removed | Values Added |
---|---|---|
References | () http://veryfitpro.com - Not Applicable, Third Party Advisory, URL Repurposed | |
References | () http://www.i-doo.cn - Not Applicable | |
References | () https://github.com/martinfrancois/CVE-2021-36460 - Exploit, Mitigation, Third Party Advisory |
14 Feb 2024, 01:17
Type | Values Removed | Values Added |
---|---|---|
References | () http://veryfitpro.com - Not Applicable, Third Party Advisory, URL Repurposed |
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-287 |
05 May 2022, 13:46
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:veryfitpro_project:veryfitpro:*:*:*:*:*:iphone_os:*:* cpe:2.3:a:veryfitpro_project:veryfitpro:*:*:*:*:*:android:*:* |
|
References | (MISC) http://veryfitpro.com - Not Applicable, Third Party Advisory | |
References | (MISC) http://www.i-doo.cn - Not Applicable | |
References | (MISC) https://github.com/martinfrancois/CVE-2021-36460 - Exploit, Mitigation, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 4.6
v3 : 7.8 |
CWE | CWE-312 |
25 Apr 2022, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-04-25 13:15
Updated : 2024-11-21 06:13
NVD link : CVE-2021-36460
Mitre link : CVE-2021-36460
CVE.ORG link : CVE-2021-36460
JSON object : View
Products Affected
veryfitpro_project
- veryfitpro
CWE
CWE-287
Improper Authentication