CVE-2021-29012

Published: Apr 2, 2021Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.

Affected (1)

Products: Dmasoftlab: Dma Radius Manager

1 product

Dma Radius Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Dmasoftlab Dma Radius Manager	Version 4.4.0

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (6)

http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://github.com/1d8/publications/tree/main/cve-2021-29012

Source: cve@mitre.org

ExploitThird Party Advisory

https://sourceforge.net/projects/radiusmanager/

Source: cve@mitre.org

ProductThird Party Advisory

http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://github.com/1d8/publications/tree/main/cve-2021-29012

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://sourceforge.net/projects/radiusmanager/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

Timeline

No history available yet.