9.8

CVE-2021-29012

Exploit

EPSS 3.2%
Veröffentlicht 02.04.2021 13:15:11
Zuletzt bearbeitet 21.11.2024 06:00:31
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dmasoftlab ≫ Dma Radius Manager Version4.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.2%	0.858

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html

Third Party Advisory

Exploit

VDB Entry

https://sourceforge.net/projects/radiusmanager/

Third Party Advisory

Product

https://github.com/1d8/publications/tree/main/cve-2021-29012

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-29012

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-29012

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-29012

EUVD