← Retour aux CVEs
CVE-2021-29012
CRITICAL9.8
Description
DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie4/2/2021
Derniere modification11/21/2024
Sourcenvd
Observations honeypot0
Produits affectes
dmasoftlab:dma_radius_manager
Faiblesses (CWE)
CWE-287
References
http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html(cve@mitre.org)
https://github.com/1d8/publications/tree/main/cve-2021-29012(cve@mitre.org)
https://sourceforge.net/projects/radiusmanager/(cve@mitre.org)
http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/1d8/publications/tree/main/cve-2021-29012(af854a3a-2127-422b-91ae-364da2661108)
https://sourceforge.net/projects/radiusmanager/(af854a3a-2127-422b-91ae-364da2661108)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.