← Volver a CVEs
CVE-2021-36460
HIGH7.8
Descripcion
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
Detalles CVE
Puntuacion CVSS v3.17.8
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueLOCAL
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado4/25/2022
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
veryfitpro_project:veryfitpro
Debilidades (CWE)
CWE-287
Referencias
http://veryfitpro.com(cve@mitre.org)
http://www.i-doo.cn(cve@mitre.org)
https://github.com/martinfrancois/CVE-2021-36460(cve@mitre.org)
http://veryfitpro.com(af854a3a-2127-422b-91ae-364da2661108)
http://www.i-doo.cn(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/martinfrancois/CVE-2021-36460(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.