CVE-2021-38142
8.8 HIGHBarco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades
Published: 2021-09-07 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.8 HIGH
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- CWE
- CWE-319
Affected products
| Vendor | Product |
|---|---|
| barco | mirrorop_windows_sender |
Description
Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS).
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-38142
- [Vendor advisory]https://www.barco.com/en/support/cms
- [Vendor advisory]https://www.barco.com/en/support/software/R33050099?majorVersion=2&minorVersion=5&patchVersion=3&buildVersion=65
- [Vendor advisory]https://www.barco.com/en/support/cms
- [Vendor advisory]https://www.barco.com/en/support/software/R33050099?majorVersion=2&minorVersion=5&patchVersion=3&buildVersion=65
Related CVEs
Same CWE
- CVE-2026-9741 — A bug in query analysis processing of the $vectorSearch aggregation stage for Queryable Encryption (QE) or Client-Side Field Level Encryp... (6.5 MEDIUM)
- CVE-2026-45432 — This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management...
- CVE-2026-8874 — Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted ... (7.1 HIGH)
- CVE-2026-36610 — Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding (5.9 MEDIUM)
- CVE-2026-7666 — An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15 (3.1 LOW)