CVE-2024-43201

Planet Fitness Workouts mobile apps do not properly validate TLS certificates

CVSS 8.7 HIGHEPSS 0.4%CWE-295

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.7EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

23 sep 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11).

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber

Productos afectados

Planet Fitness · Planet Fitness Workouts

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://apps.apple.com/us/app/planet-fitness-workouts/id399857015 https://dontvacuum.me/bugs/pf/