CVE-2021-36460

Name of the Vulnerable Software and Affected Versions VeryFitPro version 3.2.8

Description The issue allows an attacker in possession of a hashed password to take over a user's account. This is because the password is hashed locally on the device and the hash is used for authentication with the backend API, including for login, registration, and password changes. This renders the benefits of storing hashed passwords in the database useless.

Recommendations For version 3.2.8, consider disabling the local password hashing mechanism until a patch is available, and restrict access to the backend API to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.