PT-2021-17678 · Adguard · Adguard
Jvoisin
·
Published
2021-03-03
·
Updated
2022-07-12
·
CVE-2021-27935
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
AdGuard versions prior to 0.105.2
Description:
An issue was discovered where an attacker who obtains a user's cookie can bruteforce their password offline. This is possible because the hash of the password is stored in the cookie.
Recommendations:
For versions prior to 0.105.2, update to version 0.105.2 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application that use the stored password hash until a patch is applied. Avoid using the application with sensitive accounts until the issue is resolved.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Adguard