Martinfrancois

**Name of the Vulnerable Software and Affected Versions** VeryFitPro version 3.2.8 **Description** The issue allows an attacker in possession of a hashed password to take over a user's account. This is because the password is hashed locally on the device and the hash is used for authentication with the backend API, including for login, registration, and password changes. This renders the benefits of storing hashed passwords in the database useless. **Recommendations** For version 3.2.8, consider disabling the local password hashing mechanism until a patch is available, and restrict access to the backend API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Grails Fields plugin versions prior to 2.2.8 **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability in the display tag of the Grails Fields plugin. This can result in XSS attacks. **Recommendations** For versions prior to 2.2.8, update to version 2.2.8 or later to resolve the issue.