Vulnerabilities (CVE)

Filtered by vendor Oklok Project Subscribe
Filtered by product Oklok
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-8792 1 Oklok Project 1 Oklok 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has an information-exposure issue. In the mobile app, an attempt to add an already-bound lock by its barcode reveals the email address of the account to which the lock is bound, as well as the name of the lock. Valid barcode inputs can be easily guessed because barcode strings follow a predictable pattern. Correctly guessed valid barcode inputs entered through the app interface disclose arbitrary users' email addresses and lock names.
CVE-2020-8791 1 Oklok Project 1 Oklok 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary user IDs. Valid and current user IDs are trivial to guess because of the user ID assignment convention used by the app. A remote attacker could harvest email addresses, unsalted MD5 password hashes, owner-assigned lock names, and owner-assigned fingerprint names for any range of arbitrary user IDs.
CVE-2020-8790 1 Oklok Project 1 Oklok 2024-11-21 7.5 HIGH 9.8 CRITICAL
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) has weak password requirements combined with improper restriction of excessive authentication attempts, which could allow a remote attacker to discover user credentials and obtain access via a brute force attack.
CVE-2020-10876 2 Mica, Oklok Project 2 Fingerprint Bluetooth Padlock Fb50, Oklok 2024-11-21 5.0 MEDIUM 7.5 HIGH
The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account.