PT-2021-19807 · Unknown · Veryfitpro

Nick Decker

Published

2021-06-16

Updated

2021-07-12

CVE-2021-32612

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions VeryFitPro version 3.2.8

Description The VeryFitPro application communicates with the backend API over cleartext HTTP, which includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing.

Recommendations For version 3.2.8, consider disabling communication with the backend API until a secure connection method is implemented, such as HTTPS, to prevent information theft and account takeover. Restrict access to sensitive information, such as login credentials and password change requests, to minimize the risk of exploitation.

Exploit

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319

Related Identifiers

CVE-2021-32612

Affected Products

Veryfitpro

PT-2021-19807 · Unknown · Veryfitpro

CVE-2021-32612

Weakness Enumeration

Related Identifiers

Affected Products

References · 9