PT-2021-19169 · Netsia · Netsia Seba+
Ehakkus
+1
·
Published
2021-01-17
·
Updated
2021-01-27
·
CVE-2021-3113
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Netsia SEBA+ versions 0.16.1 and earlier, specifically build 70-e669dcd7
Description
The issue allows remote attackers to discover session cookies via a direct "/session/list/allActiveSession" API endpoint request. This can lead to the discovery of the admin's cookie if the admin account is logged in when the request occurs, allowing the attacker to use that cookie immediately for admin access.
Recommendations
For Netsia SEBA+ versions 0.16.1 and earlier, consider restricting access to the "/session/list/allActiveSession" API endpoint to minimize the risk of exploitation. As a temporary workaround, limit the use of admin accounts when the allActiveSession request may occur. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netsia Seba+