CVE-2024-43201

The Planet Fitness Workouts iOS and Android mobile apps prior to version 9.8.12 (released on 2024-07-25) fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information.
References
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:planetfitness:planet_fitness_workouts:*:*:*:*:*:*:*:*
OR cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

History

30 Sep 2024, 13:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8
v2 : unknown
v3 : 5.9
References () https://apps.apple.com/us/app/planet-fitness-workouts/id399857015 - () https://apps.apple.com/us/app/planet-fitness-workouts/id399857015 - Product
References () https://dontvacuum.me/bugs/pf/ - () https://dontvacuum.me/bugs/pf/ - Exploit, Third Party Advisory
First Time Google
Planetfitness
Google android
Apple iphone Os
Planetfitness planet Fitness Workouts
Apple
CPE cpe:2.3:a:planetfitness:planet_fitness_workouts:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Las aplicaciones móviles iOS y Android de Planet Fitness Workouts anteriores a la versión 9.8.12 (lanzada el 25 de julio de 2024) no logran validar correctamente los certificados TLS, lo que permite que un atacante con acceso de red adecuado obtenga tokens de sesión e información confidencial.

23 Sep 2024, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-23 20:15

Updated : 2024-09-30 13:55


NVD link : CVE-2024-43201

Mitre link : CVE-2024-43201

CVE.ORG link : CVE-2024-43201


JSON object : View

Products Affected

planetfitness

  • planet_fitness_workouts

apple

  • iphone_os

google

  • android
CWE
CWE-295

Improper Certificate Validation