{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25605", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-22T13:06:51.975Z", "datePublished": "2026-03-22T13:38:40.499Z", "dateUpdated": "2026-03-23T19:14:48.383Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T13:38:40.499Z"}, "title": "EquityPandit 1.0 Insecure Logging Information Disclosure", "descriptions": [{"lang": "en", "value": "EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Authorization of Index Containing Sensitive Information", "cweId": "CWE-612", "type": "CWE"}]}], "affected": [{"vendor": "Play", "product": "EquityPandit", "versions": [{"version": "1.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46933", "name": "ExploitDB-46933", "tags": ["exploit"]}, {"url": "https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: EquityPandit 1.0 Insecure Logging Information Disclosure", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/equitypandit-insecure-logging-information-disclosure"}], "credits": [{"lang": "en", "value": "ManhNho", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2019-05-28T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T19:13:49.859652Z", "id": "CVE-2019-25605", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T19:14:48.383Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25605", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T19:13:49.859652Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T19:14:32.063Z"}}], "cna": {"title": "EquityPandit 1.0 Insecure Logging Information Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "ManhNho"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Play", "product": "EquityPandit", "versions": [{"status": "affected", "version": "1.0"}]}], "datePublic": "2019-05-28T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46933", "name": "ExploitDB-46933", "tags": ["exploit"]}, {"url": "https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/equitypandit-insecure-logging-information-disclosure", "name": "VulnCheck Advisory: EquityPandit 1.0 Insecure Logging Information Disclosure", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-612", "description": "Improper Authorization of Index Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-22T13:38:40.499Z"}}}, "cveMetadata": {"cveId": "CVE-2019-25605", "state": "PUBLISHED", "dateUpdated": "2026-03-23T19:14:48.383Z", "dateReserved": "2026-03-22T13:06:51.975Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-22T13:38:40.499Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials."}, {"lang": "es", "value": "EquityPandit 1.0 contiene una vulnerabilidad de registro inseguro que permite a los atacantes capturar credenciales de usuario sensibles al acceder a los registros de la consola de desarrollador a trav\u00e9s de Android Debug Bridge. Los atacantes pueden usar adb logcat para extraer contrase\u00f1as en texto plano registradas durante la funci\u00f3n de recuperaci\u00f3n de contrase\u00f1a, exponiendo las credenciales de la cuenta de usuario."}], "id": "CVE-2019-25605", "lastModified": "2026-04-15T15:00:32.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-22T14:16:28.260", "references": [{"source": "disclosure@vulncheck.com", "url": "https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/46933"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/equitypandit-insecure-logging-information-disclosure"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-612"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "EquityPandit", "source": "cna", "vendor": "Play"}, "product": "equitypandit", "vendor": "play"}], "analysis": {"en": {"generated_at": "2026-03-22T14:40:17.313889+00:00", "value": {"mitigation_remediation": ["Check for and install any newer EquityPandit releases that remove insecure logging.", "Disable Android Debug Bridge (ADB) on devices unless it is absolutely required, or restrict its use to trusted users only.", "Modify the application to eliminate logging of plaintext passwords during authentication processes."], "summary": {"action": "Apply Patch", "impact": "Credential Disclosure via Logcat"}, "threat_synthesis": {"affected_systems": "The affected product is EquityPandit version 1.0, a mobile application available on the Google Play store. No other versions are listed or known to be affected based on the current advisories.", "description_and_impact": "EquityPandit 1.0 logs sensitive user credentials in plaintext during the forgot\u2011password flow. As a result, an attacker who can read the device\u2019s developer console logs can acquire user passwords, undermining confidentiality and enabling account compromise. The vulnerability is a classic case of insecure credential storage and logging, classified as CWE\u2011612.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity. Although an EPSS score is not provided, the attack requires access to the device via Android Debug Bridge, which typically requires the device to have debugging enabled or physical access. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no confirmed large\u2011scale exploitation yet. Nevertheless, the potential to harvest credentials is significant, and the attack vector is relatively straightforward once debugging is available."}}}}, "created": "2026-03-23T09:46:14.934752+00:00", "updated": "2026-03-25T14:46:11.405190+00:00", "vendors": ["play", "play$PRODUCT$equitypandit"]}