CVE-2021-3113
7.5 HIGHNetsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSes...
Published: 2021-01-17 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-425
Affected products
| Vendor | Product |
|---|---|
| netsia | seba\+ |
Description
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and can then use that cookie immediately for admin access,
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-3113
- [Exploit reference]https://www.exploit-db.com/exploits/49435
- [Vendor advisory]https://www.netsia.com/#netsiaseba
- [Exploit reference]https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html
- [Exploit reference]https://www.exploit-db.com/exploits/49435
- [Vendor advisory]https://www.netsia.com/#netsiaseba
- [Exploit reference]https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html
Related CVEs
Same CWE
- CVE-2026-34028 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an aut...
- CVE-2026-11986 — A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities (4.9 MEDIUM)
- CVE-2026-8205 — Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView o... (5.3 MEDIUM)
- CVE-2026-7500 — When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled (5.4 MEDIUM)
- CVE-2025-15587 — Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 allow a low privileged user to read an administrator's passwor...