Vulnerability Description
VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Veryfitpro Project | Veryfitpro | <= 3.3.7 |
Related Weaknesses (CWE)
References
- http://veryfitpro.comNot ApplicableThird Party AdvisoryURL Repurposed
- http://www.i-doo.cnNot Applicable
- https://github.com/martinfrancois/CVE-2021-36460ExploitMitigationThird Party Advisory
- http://veryfitpro.comNot ApplicableThird Party AdvisoryURL Repurposed
- http://www.i-doo.cnNot Applicable
- https://github.com/martinfrancois/CVE-2021-36460ExploitMitigationThird Party Advisory
FAQ
What is CVE-2021-36460?
CVE-2021-36460 is a vulnerability with a CVSS score of 7.8 (HIGH). VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration ...
How severe is CVE-2021-36460?
CVE-2021-36460 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-36460?
Check the references section above for vendor advisories and patch information. Affected products include: Veryfitpro Project Veryfitpro.