How severe is CVE-2021-20151?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 10 out of 10.

What type of vulnerability is CVE-2021-20151?

This is classified as CWE-384, which is a common weakness in software security.

CVE-2021-20151

CRITICAL Year: 2021

CVSS v3 Score

10.0

Critical

CVSS v2 Score

7.5

High

Weakness Type

CWE-384

View all →

Vulnerability Description

Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions based on IP address rather than verifying client cookies/session tokens/etc. This allows an attacker (whether from a different computer, different web browser on the same machine, etc.) to take over an existing session. This does require the attacker to be able to spoof or take over original IP address of the original user's session.

CVE-2024-11317

CRITICAL

CVSS:10.0(Critical)

Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. Affected products: ABB ASPECT - Enterprise...

CWE-3842024

CVE-2024-38513

CRITICAL

CVSS:10.0(Critical)

Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows us...

CWE-3842024

CVE-2015-1174

CRITICAL

CVSS:9.8(Critical)

Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id.

CWE-3842015

CVE-2015-1820

CRITICAL

CVSS:9.8(Critical)

REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a respons...

CWE-3842015

CVE-2016-10405

CRITICAL

CVSS:9.8(Critical)

Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors.

CWE-3842016

CVE-2016-9125

CRITICAL

CVSS:9.8(Critical)

Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful aut...

CWE-3842016

CVE-2021-20151

Vulnerability Description

Related Vulnerabilities

CVE-2024-11317

CVE-2024-38513

CVE-2015-1174

CVE-2015-1820

CVE-2016-10405

CVE-2016-9125