How severe is CVE-2021-21276?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.3 out of 10.

What type of vulnerability is CVE-2021-21276?

This is classified as CWE-863, which is a common weakness in software security.

CVE-2021-21276 - CRITICAL Severity | CVSS 9.3

Vulnerability Description

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.

Related Vulnerabilities

CVE-2022-22157

CRITICAL

CVSS:9.3(Critical)

A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthori...

CWE-8632022

CVE-2024-20510

CRITICAL

CVSS:9.3(Critical)

A vulnerability in the Central Web Authentication (CWA) feature of Cisco IOS XE Software for Wireless Controllers could allow an unauthenticated, adjacent attacker to bypass the pre-authentication acc...

CWE-8632024

CVE-2024-48548

CRITICAL

CVSS:9.3(Critical)

The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to b...

CWE-8632024

CVE-2025-48757

CRITICAL

CVSS:9.3(Critical)

An insufficient database Row-Level Security policy in Lovable through 2025-04-15 allows remote unauthenticated attackers to read or write to arbitrary database tables of generated sites.

CWE-8632025

CVE-2010-2548

CRITICAL

CVSS:9.1(Critical)

IcedTea6 before 1.7.4 does not properly check property access, which allows unsigned apps to read and write arbitrary files.

CWE-8632010

CVE-2013-1350

CRITICAL

CVSS:9.1(Critical)

Verax NMS prior to 2.1.0 has multiple security bypass vulnerabilities

CWE-8632013