CVE-2021-43939 HIGH

CVE-2021-43939: Elcomplus SmartPtt Improper Authorization

Vendor Elcomplus

Product SmartPTT

Weakness CWE-285

Published April 28, 2022

Last update April 16, 2025

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Elcomplus SmartPTT is vulnerable when a low-authenticated user can access higher level administration authorization by issuing requests directly to the desired endpoints.

Key dates

02Disclosure timeline

April 28, 2022 CVE published

April 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-43939 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/285.html

Related vulnerabilities

04Related CVE

CVE-2025-1361 IP2Location Country Blocker <= 2.38.8 - Missing Authorization to Unauthenticated Information Exposure via admin_init Function CVE-2025-4103 WP-GeoMeta 0.3.4 - 0.3.5 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via wp_ajax_wpgm_start_geojson_import Function CVE-2022-39322 @keystone-6/core vulnerable to field-level access-control bypass for multiselect field CVE-2020-24403 Incorrect permissions could lead to unauthorized modification of inventory source data via REST API CVE-2022-45450