{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11645", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-10-11T18:32:59.727Z", "datePublished": "2025-10-12T20:32:05.707Z", "dateUpdated": "2025-10-18T21:27:53.120Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-18T21:27:53.120Z"}, "title": "Tomofun Furbo Mobile App Authentication Token sensitive information", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-922", "lang": "en", "description": "Insecure Storage of Sensitive Information"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "Information Disclosure"}]}], "affected": [{"vendor": "Tomofun", "product": "Furbo Mobile App", "versions": [{"version": "7.57.0a", "status": "affected"}], "modules": ["Authentication Token Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in Tomofun Furbo Mobile App up to 7.57.0a auf Android gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Authentication Token Handler. Durch Manipulieren mit unbekannten Daten kann eine insecure storage of sensitive information-Schwachstelle ausgenutzt werden. Der Angriff auf das physische Ger\u00e4t ist m\u00f6glich. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.4, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "LOW"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-05-15T20:00:00.000Z", "lang": "en", "value": "Vulnerability found"}, {"time": "2025-06-21T23:00:00.000Z", "lang": "en", "value": "Vendor informed"}, {"time": "2025-07-03T04:30:00.000Z", "lang": "en", "value": "Vendor acknowledged"}, {"time": "2025-10-11T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-10-11T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-10-18T23:29:56.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Calvin Star (Software Secured)", "type": "finder"}, {"lang": "en", "value": "Julian B (Software Secured)", "type": "finder"}, {"lang": "en", "value": "jTag Labs (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "jTag Labs (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/?id.328056", "name": "VDB-328056 | Tomofun Furbo Mobile App Authentication Token sensitive information", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.328056", "name": "VDB-328056 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.661899", "name": "Submit #661899 | Tomofun Furbo Mobile Application \u2264 7.57.0a Insecure Storage of Sensitive Information", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md", "tags": ["exploit"]}]}, "adp": [{"references": [{"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-14T14:02:33.489954Z", "id": "CVE-2025-11645", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T14:02:48.601Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11645", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-14T14:02:33.489954Z"}}}], "references": [{"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T14:02:23.058Z"}}], "cna": {"title": "Tomofun Furbo Mobile App Authentication Token sensitive information", "credits": [{"lang": "en", "type": "finder", "value": "Calvin Star (Software Secured)"}, {"lang": "en", "type": "finder", "value": "Julian B (Software Secured)"}, {"lang": "en", "type": "reporter", "value": "jTag Labs (VulDB User)"}, {"lang": "en", "type": "analyst", "value": "jTag Labs (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.4, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "Tomofun", "modules": ["Authentication Token Handler"], "product": "Furbo Mobile App", "versions": [{"status": "affected", "version": "7.57.0a"}]}], "timeline": [{"lang": "en", "time": "2025-05-15T20:00:00.000Z", "value": "Vulnerability found"}, {"lang": "en", "time": "2025-06-21T23:00:00.000Z", "value": "Vendor informed"}, {"lang": "en", "time": "2025-07-03T04:30:00.000Z", "value": "Vendor acknowledged"}, {"lang": "en", "time": "2025-10-11T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-10-11T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-10-18T23:29:56.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.328056", "name": "VDB-328056 | Tomofun Furbo Mobile App Authentication Token sensitive information", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.328056", "name": "VDB-328056 | CTI Indicators (IOB, IOC, TTP)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.661899", "name": "Submit #661899 | Tomofun Furbo Mobile Application \u2264 7.57.0a Insecure Storage of Sensitive Information", "tags": ["third-party-advisory"]}, {"url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Eine Schwachstelle wurde in Tomofun Furbo Mobile App up to 7.57.0a auf Android gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Authentication Token Handler. Durch Manipulieren mit unbekannten Daten kann eine insecure storage of sensitive information-Schwachstelle ausgenutzt werden. Der Angriff auf das physische Ger\u00e4t ist m\u00f6glich. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-922", "description": "Insecure Storage of Sensitive Information"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Information Disclosure"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-18T21:27:53.120Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11645", "state": "PUBLISHED", "dateUpdated": "2025-10-18T21:27:53.120Z", "dateReserved": "2025-10-11T18:32:59.727Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-10-12T20:32:05.707Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2025-11645", "lastModified": "2025-10-14T19:36:59.730", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-10-12T21:15:33.303", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?ctiid.328056"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?id.328056"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/?submit.661899"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-922"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}