CVE-2021-39290

9.8 CRITICAL

Certain NetModule devices allow Limited Session Fixation via PHPSESSID

Published: 2021-08-23 · Last updated: 2026-06-17

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-384

Affected products

Vendor	Product
netmodule	netmodule_router_software

Description

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. These models with firmware before 4.3.0.113, 4.4.0.111, and 4.5.0.105 are affected: NB800, NB1600, NB1601, NB1800, NB1810, NB2700, NB2710, NB2800, NB2810, NB3700, NB3701, NB3710, NB3711, NB3720, and NB3800.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39290
[Exploit reference]https://seclists.org/fulldisclosure/2021/Aug/22
[Vendor advisory]https://www.netmodule.com
[Exploit reference]https://seclists.org/fulldisclosure/2021/Aug/22
[Vendor advisory]https://www.netmodule.com

Related CVEs

Same vendor

CVE-2021-39291 — Certain NetModule devices allow credentials via GET parameters to CLI-PHP (8.8 HIGH)
CVE-2021-39289 — Certain NetModule devices have Insecure Password Handling (cleartext or reversible encryption), These models with firmware before 4.3.0.1... (7.5 HIGH)

Same CWE

CVE-2026-53900 — Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a mali... (4.3 MEDIUM)
CVE-2009-10007 — Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks (9.1 CRITICAL)
CVE-2026-41839 — A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalati... (4.2 MEDIUM)
CVE-2026-11335 — A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500e... (6.3 MEDIUM)
CVE-2025-67446 — Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before (9.8 CRITICAL)