PT-2021-22509 · Netmodule · Netmodule Nb2700+14
Gerhard Hechenberger
+1
·
Published
2021-08-23
·
Updated
2023-11-02
·
CVE-2021-39290
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
NetModule NB800 versions prior to 4.3.0.113
NetModule NB1600 versions prior to 4.4.0.111
NetModule NB1601 versions prior to 4.4.0.111
NetModule NB1800 versions prior to 4.4.0.111
NetModule NB1810 versions prior to 4.4.0.111
NetModule NB2700 versions prior to 4.5.0.105
NetModule NB2710 versions prior to 4.5.0.105
NetModule NB2800 versions prior to 4.5.0.105
NetModule NB2810 versions prior to 4.5.0.105
NetModule NB3700 versions prior to 4.5.0.105
NetModule NB3701 versions prior to 4.5.0.105
NetModule NB3710 versions prior to 4.5.0.105
NetModule NB3711 versions prior to 4.5.0.105
NetModule NB3720 versions prior to 4.5.0.105
NetModule NB3800 versions prior to 4.5.0.105
Description
The issue allows Limited Session Fixation via
PHPSESSID. This can affect certain NetModule devices.Recommendations
For NetModule NB800 version prior to 4.3.0.113, update to version 4.3.0.113 or later.
For NetModule NB1600, NB1601, NB1800, and NB1810 versions prior to 4.4.0.111, update to version 4.4.0.111 or later.
For NetModule NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800 versions prior to 4.5.0.105, update to version 4.5.0.105 or later.
As a temporary workaround, consider restricting access to the
PHPSESSID session identifier until a patch is available.Exploit
Fix
Session Fixation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netmodule Nb1600
Netmodule Nb1601
Netmodule Nb1800
Netmodule Nb1810
Netmodule Nb2700
Netmodule Nb2710
Netmodule Nb2800
Netmodule Nb2810
Netmodule Nb3700
Netmodule Nb3701
Netmodule Nb3710
Netmodule Nb3711
Netmodule Nb3720
Netmodule Nb3800
Netmodule Nb800