Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Furbo Mobile App by Tomofun

    CVE-2025-11645 (GCVE-0-2025-11645)

    Vulnerability from nvd – Published: 2025-10-12 20:32 – Updated: 2025-10-18 21:27
    VLAI
    Title
    Tomofun Furbo Mobile App Authentication Token sensitive information
    Summary
    A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-922 - Insecure Storage of Sensitive Information
    • CWE-200 - Information Disclosure
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.328056 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.328056 signaturepermissions-required
    https://vuldb.com/?submit.661899 third-party-advisory
    https://github.com/dead1nfluence/Furbo-Advisories… exploit
    Impacted products
    Vendor Product Version
    Tomofun Furbo Mobile App Affected: 7.57.0a
    Create a notification for this product.
    Credits
    Calvin Star (Software Secured) Julian B (Software Secured) jTag Labs (VulDB User) jTag Labs (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11645",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T14:02:33.489954Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T14:02:48.601Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Authentication Token Handler"
              ],
              "product": "Furbo Mobile App",
              "vendor": "Tomofun",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.57.0a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Calvin Star (Software Secured)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Julian B (Software Secured)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "jTag Labs (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "jTag Labs (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in Tomofun Furbo Mobile App up to 7.57.0a auf Android gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Authentication Token Handler. Durch Manipulieren mit unbekannten Daten kann eine insecure storage of sensitive information-Schwachstelle ausgenutzt werden. Der Angriff auf das physische Ger\u00e4t ist m\u00f6glich. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.1,
                "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-922",
                  "description": "Insecure Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-18T21:27:53.120Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-328056 | Tomofun Furbo Mobile App Authentication Token sensitive information",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.328056"
            },
            {
              "name": "VDB-328056 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.328056"
            },
            {
              "name": "Submit #661899 | Tomofun Furbo Mobile Application \u2264 7.57.0a Insecure Storage of Sensitive Information",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.661899"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-15T20:00:00.000Z",
              "value": "Vulnerability found"
            },
            {
              "lang": "en",
              "time": "2025-06-21T23:00:00.000Z",
              "value": "Vendor informed"
            },
            {
              "lang": "en",
              "time": "2025-07-03T04:30:00.000Z",
              "value": "Vendor acknowledged"
            },
            {
              "lang": "en",
              "time": "2025-10-11T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-10-11T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-10-18T23:29:56.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Tomofun Furbo Mobile App Authentication Token sensitive information"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-11645",
        "datePublished": "2025-10-12T20:32:05.707Z",
        "dateReserved": "2025-10-11T18:32:59.727Z",
        "dateUpdated": "2025-10-18T21:27:53.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-11645 (GCVE-0-2025-11645)

    Vulnerability from cvelistv5 – Published: 2025-10-12 20:32 – Updated: 2025-10-18 21:27
    VLAI
    Title
    Tomofun Furbo Mobile App Authentication Token sensitive information
    Summary
    A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-922 - Insecure Storage of Sensitive Information
    • CWE-200 - Information Disclosure
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.328056 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.328056 signaturepermissions-required
    https://vuldb.com/?submit.661899 third-party-advisory
    https://github.com/dead1nfluence/Furbo-Advisories… exploit
    Impacted products
    Vendor Product Version
    Tomofun Furbo Mobile App Affected: 7.57.0a
    Create a notification for this product.
    Credits
    Calvin Star (Software Secured) Julian B (Software Secured) jTag Labs (VulDB User) jTag Labs (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11645",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-14T14:02:33.489954Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-14T14:02:48.601Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Authentication Token Handler"
              ],
              "product": "Furbo Mobile App",
              "vendor": "Tomofun",
              "versions": [
                {
                  "status": "affected",
                  "version": "7.57.0a"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Calvin Star (Software Secured)"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Julian B (Software Secured)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "jTag Labs (VulDB User)"
            },
            {
              "lang": "en",
              "type": "analyst",
              "value": "jTag Labs (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in Tomofun Furbo Mobile App up to 7.57.0a auf Android gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Authentication Token Handler. Durch Manipulieren mit unbekannten Daten kann eine insecure storage of sensitive information-Schwachstelle ausgenutzt werden. Der Angriff auf das physische Ger\u00e4t ist m\u00f6glich. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.1,
                "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-922",
                  "description": "Insecure Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-18T21:27:53.120Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-328056 | Tomofun Furbo Mobile App Authentication Token sensitive information",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.328056"
            },
            {
              "name": "VDB-328056 | CTI Indicators (IOB, IOC, TTP)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.328056"
            },
            {
              "name": "Submit #661899 | Tomofun Furbo Mobile Application \u2264 7.57.0a Insecure Storage of Sensitive Information",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.661899"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-05-15T20:00:00.000Z",
              "value": "Vulnerability found"
            },
            {
              "lang": "en",
              "time": "2025-06-21T23:00:00.000Z",
              "value": "Vendor informed"
            },
            {
              "lang": "en",
              "time": "2025-07-03T04:30:00.000Z",
              "value": "Vendor acknowledged"
            },
            {
              "lang": "en",
              "time": "2025-10-11T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-10-11T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-10-18T23:29:56.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Tomofun Furbo Mobile App Authentication Token sensitive information"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-11645",
        "datePublished": "2025-10-12T20:32:05.707Z",
        "dateReserved": "2025-10-11T18:32:59.727Z",
        "dateUpdated": "2025-10-18T21:27:53.120Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }