CVE-2021-36460 Information

Description

VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account’s password locally on the device and uses the hash to authenticate in all communication with the backend API including login registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user’s account rendering the benefits of storing hashed passwords in the database useless.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

http://veryfitpro.com https://github.com/martinfrancois/CVE-2021-36460 http://www.i-doo.cn

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

7.8