VeryFitPro (com.veryfit2hr.second) 3.2.8 hashes the account's password locally on the device and uses the hash to authenticate in all communication with the backend API, including login, registration and changing of passwords. This allows an attacker in possession of a hash to takeover a user's account, rendering the benefits of storing hashed passwords in the database useless.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2022-04-25T12:03:38
Updated: 2024-08-04T00:54:51.522Z
Reserved: 2021-07-12T00:00:00
Link: CVE-2021-36460
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-04-25T13:15:49.330
Modified: 2024-11-21T06:13:44.960
Link: CVE-2021-36460
Redhat
No data.