Vulnerability Details : CVE-2021-27935
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.
Products affected by CVE-2021-27935
- cpe:2.3:a:adguard:adguard_home:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-27935
0.13%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 48 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-27935
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-27935
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-27935
-
https://github.com/AdguardTeam/AdGuardHome/issues/2470
Hash of the password stored in the cookies · Issue #2470 · AdguardTeam/AdGuardHome · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to