← Back to CVEs
CVE-2021-36460
HIGH7.8
Description
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
CVE Details
CVSS v3.1 Score7.8
SeverityHIGH
CVSS VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack VectorLOCAL
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published4/25/2022
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
veryfitpro_project:veryfitpro
Weaknesses (CWE)
CWE-287
References
http://veryfitpro.com(cve@mitre.org)
http://www.i-doo.cn(cve@mitre.org)
https://github.com/martinfrancois/CVE-2021-36460(cve@mitre.org)
http://veryfitpro.com(af854a3a-2127-422b-91ae-364da2661108)
http://www.i-doo.cn(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/martinfrancois/CVE-2021-36460(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.