CVE-2021-37189

HIGH

Digi Transport Wr11 Firmware < 6.0.0.0 - Missing Encryption

Title source: rule

Description

An issue was discovered on Digi TransPort Gateway devices through 5.2.13.4. They do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.

References (2)

[Vendor Advisory] https://www.digi.com/search/results?q=transport

[Third Party Advisory] https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt

Scores

CVSS v3 7.5

EPSS 0.0019

EPSS Percentile 40.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-311

Status published

Products (6)

digi/transport_wr11_firmware < 6.0.0.0

digi/transport_wr11_xt_firmware < 6.0.0.0

digi/transport_wr21_firmware < 6.0.0.0

digi/transport_wr31_firmware < 6.0.0.0

digi/transport_wr41_firmware < 6.0.0.0

digi/transport_wr44_firmware < 6.0.0.0

Published Dec 10, 2021

Tracked Since Feb 18, 2026