VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
References
Link | Resource |
---|---|
http://veryfitpro.com | Not Applicable Third Party Advisory URL Repurposed |
http://www.i-doo.cn | Not Applicable |
https://github.com/martinfrancois/CVE-2021-36460 | Exploit Mitigation Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-04-25T12:03:38
Updated: 2022-04-25T12:03:38
Reserved: 2021-07-12T00:00:00
Link: CVE-2021-36460
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-04-25T13:15:49.330
Modified: 2024-02-14T01:17:43.863
Link: CVE-2021-36460
JSON object: View
Redhat Information
No data.
CWE