{"api_version":"1","generated_at":"2026-04-25T19:49:14+00:00","cve":"CVE-2021-27935","urls":{"html":"https://cve.report/CVE-2021-27935","api":"https://cve.report/api/cve/CVE-2021-27935.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-27935","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-27935"},"summary":{"title":"CVE-2021-27935","description":"An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-03-03 20:15:00","updated_at":"2022-07-12 17:42:00"},"problem_types":["CWE-522"],"metrics":[],"references":[{"url":"https://github.com/AdguardTeam/AdGuardHome/issues/2470","name":"https://github.com/AdguardTeam/AdGuardHome/issues/2470","refsource":"MISC","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"Hash of the password stored in the cookies · Issue #2470 · AdguardTeam/AdGuardHome · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-27935","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27935","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"27935","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adguard","cpe5":"adguard_home","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"27935","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"adguard","cpe5":"adguard_home","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-27935","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://github.com/AdguardTeam/AdGuardHome/issues/2470","refsource":"MISC","name":"https://github.com/AdguardTeam/AdGuardHome/issues/2470"}]}},"nvd":{"publishedDate":"2021-03-03 20:15:00","lastModifiedDate":"2022-07-12 17:42:00","problem_types":["CWE-522"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:adguard:adguard_home:*:*:*:*:*:*:*:*","versionEndExcluding":"0.105.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"27935","Ordinal":"203050","Title":"CVE-2021-27935","CVE":"CVE-2021-27935","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"27935","Ordinal":"1","NoteData":"An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"27935","Ordinal":"2","NoteData":"2021-03-03","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"27935","Ordinal":"3","NoteData":"2021-03-03","Type":"Other","Title":"Modified"}]}}}