CVE-2021-3113

EUVD-2021-26465
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and can then use that cookie immediately for admin access,
Forced Browsing
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
netsiaseba\+
𝑥
≤ 0.16.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.exploit-db.com/exploits/49435
https://www.netsia.com/#netsiaseba
https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html
https://www.exploit-db.com/exploits/49435
https://www.netsia.com/#netsiaseba
https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html