CVE ID: CVE-2025-61118
Vulnerability type: Incorrect Access Control
Product: mCarFix Motorists App (Android App)
**Package Name: **com.skytop.mcarfix
Version: 2.3
Vendor: Paniel Mwaura
<aside> 💡
NOTE: We reported this issue via email on 2025-09-05. After more than 45 days without any response or remediation from the vendor, we are publishing this report on 2025-10-20 out of concern for transparency and user security. We remain open to cooperating with the vendor should they choose to respond in the future.
</aside>
During registration, both a phone number and an email are required. After sending and entering the verification code, only a success message is returned, without carrying any credentials.
Therefore, an attacker can bypass the verification code and register an account with any phone number and email.
Most services in the app use sequential numeric IDs as indexes, allowing unauthorized access by modifying these IDs.