{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. NOTE: As of April 2026, the vendor has officially decommissioned the affected legacy endpoints and associated services. The vulnerability is mitigated as the functional logic is no longer operational and the URLs have been removed from production."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2026-04-07T16:48:44.204Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"url": "https://github.com/viperbluff/Novastar-VNNOX-iCare-Privilege-Escalation"}, {"url": "https://twitter.com/viperbluff/status/1439941380244230150?s=20&t=iPSn8eNxaxUKis5OKSQJRQ"}, {"url": "https://security.novaicare.com/advisory-cve-2021-38289.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-38289", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/viperbluff/Novastar-VNNOX-iCare-Privilege-Escalation", "refsource": "MISC", "url": "https://github.com/viperbluff/Novastar-VNNOX-iCare-Privilege-Escalation"}, {"name": "https://twitter.com/viperbluff/status/1439941380244230150?s=20&t=iPSn8eNxaxUKis5OKSQJRQ", "refsource": "MISC", "url": "https://twitter.com/viperbluff/status/1439941380244230150?s=20&t=iPSn8eNxaxUKis5OKSQJRQ"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:16.370Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/viperbluff/Novastar-VNNOX-iCare-Privilege-Escalation"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://twitter.com/viperbluff/status/1439941380244230150?s=20&t=iPSn8eNxaxUKis5OKSQJRQ"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-38289", "datePublished": "2022-07-12T12:33:15.000Z", "dateReserved": "2021-08-09T00:00:00.000Z", "dateUpdated": "2026-04-07T16:48:44.204Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:novastar:novaicare:7.16.0:*:*:*:*:*:*:*", "matchCriteriaId": "0BF819F4-D891-4336-8CC3-0DD0CB9FCE59", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue has been discovered in Novastar-VNNOX-iCare Novaicare 7.16.0 that gives attacker privilege escalation and allows attackers to view corporate information and SMTP server details, delete users, view roles, and other unspecified impacts. NOTE: As of April 2026, the vendor has officially decommissioned the affected legacy endpoints and associated services. The vulnerability is mitigated as the functional logic is no longer operational and the URLs have been removed from production."}, {"lang": "es", "value": "Se ha detectado un problema en Novastar-VNNOX-iCare Novaicare versi\u00f3n 7.16.0, que proporciona al atacante una escalada de privilegios y permite a atacantes visualizar informaci\u00f3n corporativa y detalles del servidor SMTP, eliminar usuarios, visualizar roles y otros impactos no especificados"}], "id": "CVE-2021-38289", "lastModified": "2026-04-07T17:16:24.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-07-12T14:15:14.573", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/viperbluff/Novastar-VNNOX-iCare-Privilege-Escalation"}, {"source": "cve@mitre.org", "url": "https://security.novaicare.com/advisory-cve-2021-38289.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://twitter.com/viperbluff/status/1439941380244230150?s=20&t=iPSn8eNxaxUKis5OKSQJRQ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/viperbluff/Novastar-VNNOX-iCare-Privilege-Escalation"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://twitter.com/viperbluff/status/1439941380244230150?s=20&t=iPSn8eNxaxUKis5OKSQJRQ"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}