Vulnerability Description
The VeryFitPro (com.veryfit2hr.second) application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| I-Doo | Veryfitpro | 3.2.8 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2021/Jun/45ExploitMailing ListThird Party Advisory
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second&hl=en_US&gl=Product
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txtExploitThird Party Advisory
- https://trovent.io/security-advisory-2105-01ExploitThird Party Advisory
- http://seclists.org/fulldisclosure/2021/Jun/45ExploitMailing ListThird Party Advisory
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second&hl=en_US&gl=Product
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txtExploitThird Party Advisory
- https://trovent.io/security-advisory-2105-01ExploitThird Party Advisory
FAQ
What is CVE-2021-32612?
CVE-2021-32612 is a vulnerability with a CVSS score of 8.1 (HIGH). The VeryFitPro (com.veryfit2hr.second) application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests....
How severe is CVE-2021-32612?
CVE-2021-32612 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32612?
Check the references section above for vendor advisories and patch information. Affected products include: I-Doo Veryfitpro.