CVE-2024-43201

Planet Fitness Workouts mobile apps do not properly validate TLS certificates

CVSS 8.7 HIGHEPSS 0.4%CWE-295

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.7EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

23 set 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11).

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/R:U/V:D/RE:L/U:Amber

Produtos afetados

Planet Fitness · Planet Fitness Workouts

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://apps.apple.com/us/app/planet-fitness-workouts/id399857015 https://dontvacuum.me/bugs/pf/