CVE-2021-37189

HIGH

Digi TransPort Gateway Firmware < 6.0.0.0 - Sensitive Cookie Information Disclosure via Missing Secure Attribute

Title source: llm

Description

An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_misc

https://www.digi.com/search/results?q=transport

Third Party Advisory x_refsource_misc

https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt

Scores

CVSS v3 7.5

EPSS 0.0059

EPSS Percentile 43.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-311

Status published

Products (6)

digi/transport_wr11_firmware < 6.0.0.0

digi/transport_wr11_xt_firmware < 6.0.0.0

digi/transport_wr21_firmware < 6.0.0.0

digi/transport_wr31_firmware < 6.0.0.0

digi/transport_wr41_firmware < 6.0.0.0

digi/transport_wr44_firmware < 6.0.0.0

Published Dec 10, 2021

Tracked Since Feb 18, 2026