Vulnerability Details CVE-2021-32612
The VeryFitPro (com.veryfit2hr.second) application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 46.7%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 4.3
References
- http://seclists.org/fulldisclosure/2021/Jun/45
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second&hl=en_US&gl=US
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txt
- https://trovent.io/security-advisory-2105-01
- http://seclists.org/fulldisclosure/2021/Jun/45
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second&hl=en_US&gl=US
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txt
- https://trovent.io/security-advisory-2105-01
Products affected by CVE-2021-32612
-
cpe:2.3:a:i-doo:veryfitpro:3.2.8