CVE-2021-4471 PUBLISHED

TG8 Firewall Unauthenticated User Password Disclosure

Assigner: VulnCheck
Reserved: 14.11.2025 Published: 14.11.2025 Updated: 17.11.2025

TG8 Firewall exposes a directory such as /data/ over HTTP without authentication. This directory stores credential files for previously logged-in users. A remote unauthenticated attacker can enumerate and download files within the directory to obtain valid account usernames and passwords, leading to loss of confidentiality and further unauthorized access.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	TG8
Product	TG8 Firewall
Versions	Default: unknown Version 0 is affected

Credits

SSD Secure Disclosure coordinator

References

Problem Types

CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory CWE

Impacts

CAPEC-95 WSDL Scanning