CVE-2021-29012
CRITICALDMA Softlab Radius Manager 4.4.0 - Improper Authentication via Static Session Cookie
Title source: llmDescription
DMA Softlab Radius Manager 4.4.0 assigns the same session cookie to every admin session. The cookie is valid when the admin is logged in, but is invalid (temporarily) during times when the admin is logged out. In other words, the cookie is functionally equivalent to a static password, and thus provides permanent access if stolen.
References (3)
Core 3
Core References
Product, Third Party Advisory x_refsource_misc
https://sourceforge.net/projects/radiusmanager/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/1d8/publications/tree/main/cve-2021-29012
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/164154/DMA-Softlab-Radius-Manager-4.4.0-Session-Management-Cross-Site-Scripting.html
Scores
CVSS v3
9.8
EPSS
0.0321
EPSS Percentile
86.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (1)
dmasoftlab/dma_radius_manager
4.4.0
Published
Apr 02, 2021
Tracked Since
Feb 18, 2026