Total
295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11219 | 1 Ilnkp2p Project | 1 Ilnkp2p | 2021-07-21 | 6.4 MEDIUM | 8.2 HIGH |
| The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices. | |||||
| CVE-2020-5408 | 2 Pivotal Software, Vmware | 2 Spring Security, Spring Security | 2021-06-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack. | |||||
| CVE-2021-23020 | 1 F5 | 1 Nginx Controller | 2021-06-11 | 2.1 LOW | 5.5 MEDIUM |
| The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. | |||||
| CVE-2021-29499 | 1 Sylabs | 1 Singularity Image Format | 2021-05-19 | 4.0 MEDIUM | 7.5 HIGH |
| SIF is an open source implementation of the Singularity Container Image Format. The `siftool new` command and func siftool.New() produce predictable UUID identifiers due to insecure randomness in the version of the `github.com/satori/go.uuid` module used as a dependency. A patch is available in version >= v1.2.3 of the module. Users are encouraged to upgrade. As a workaround, users passing CreateInfo struct should ensure the `ID` field is generated using a version of `github.com/satori/go.uuid` that is not vulnerable to this issue. | |||||
| CVE-2020-25705 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2021-05-18 | 5.8 MEDIUM | 7.4 HIGH |
| A flaw in ICMP packets in the Linux kernel may allow an attacker to quickly scan open UDP ports. This flaw allows an off-path remote attacker to effectively bypass source port UDP randomization. Software that relies on UDP source port randomization are indirectly affected as well on the Linux Based Products (RUGGEDCOM RM1224: All versions between v5.0 and v6.4, SCALANCE M-800: All versions between v5.0 and v6.4, SCALANCE S615: All versions between v5.0 and v6.4, SCALANCE SC-600: All versions prior to v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and v8.7.0, SIMATIC Cloud Connect 7: All versions, SIMATIC MV500 Family: All versions, SIMATIC NET CP 1243-1 (incl. SIPLUS variants): Versions 3.1.39 and later, SIMATIC NET CP 1243-7 LTE EU: Version | |||||
| CVE-2021-25375 | 1 Samsung | 1 Email | 2021-04-23 | 4.3 MEDIUM | 6.5 MEDIUM |
| Using predictable index for attachments in Samsung Email prior to version 6.1.41.0 allows remote attackers to get attachments of another emails when users open the malicious attachment. | |||||
| CVE-2021-0375 | 1 Google | 1 Android | 2021-03-12 | 2.1 LOW | 5.5 MEDIUM |
| In onPackageModified of VoiceInteractionManagerService.java, there is a possible change of default applications due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-167261484 | |||||
| CVE-2021-21352 | 1 Anuko | 1 Time Tracker | 2021-03-09 | 5.0 MEDIUM | 9.1 CRITICAL |
| Anuko Time Tracker is an open source, web-based time tracking application written in PHP. In TimeTracker before version 1.19.24.5415 tokens used in password reset feature in Time Tracker are based on system time and, therefore, are predictable. This opens a window for brute force attacks to guess user tokens and, once successful, change user passwords, including that of a system administrator. This vulnerability is pathced in version 1.19.24.5415 (started to use more secure tokens) with an additional improvement in 1.19.24.5416 (limited an available window for brute force token guessing). | |||||
| CVE-2021-27884 | 1 Ymfe | 1 Yapi | 2021-03-08 | 3.6 LOW | 5.1 MEDIUM |
| Weak JSON Web Token (JWT) signing secret generation in YMFE YApi through 1.9.2 allows recreation of other users' JWT tokens. This occurs because Math.random in Node.js is used. | |||||
| CVE-2020-13860 | 1 Mofinetwork | 2 Mofi4500-4gxelte, Mofi4500-4gxelte Firmware | 2021-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. The one-time password algorithm for the undocumented system account mofidev generates a predictable six-digit password. | |||||
| CVE-2020-27264 | 1 Sooil | 6 Anydana-a, Anydana-a Firmware, Anydana-i and 3 more | 2021-01-22 | 3.3 LOW | 8.8 HIGH |
| In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications use deterministic keys, which allows unauthenticated, physically proximate attackers to brute-force the keys via Bluetooth Low Energy. | |||||
| CVE-2020-7548 | 1 Schneider-electric | 14 Acti9 Powertag Link, Acti9 Powertag Link Firmware, Acti9 Powertag Link Hd and 11 more | 2020-12-08 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-330 - Use of Insufficiently Random Values vulnerability exists in Smartlink, PowerTag, and Wiser Series Gateways (see security notification for version information) that could allow unauthorized users to login. | |||||
| CVE-2017-13080 | 7 Canonical, Debian, Freebsd and 4 more | 12 Ubuntu Linux, Debian Linux, Freebsd and 9 more | 2020-11-10 | 2.9 LOW | 5.3 MEDIUM |
| Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. | |||||
| CVE-2020-27743 | 1 Pam Tacplus Project | 1 Pam Tacplus | 2020-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id. | |||||
| CVE-2019-13929 | 1 Siemens | 1 Simatic It Uadm | 2020-10-16 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability has been identified in SIMATIC IT UADM (All versions < V1.3). An authenticated remote attacker with network access to port 1434/tcp of SIMATIC IT UADM could potentially recover a password that can be used to gain read and write access to the related TeamCenter station. The security vulnerability could be exploited only if the attacker is authenticated. No user interaction is required to exploit this security vulnerability. Successful exploitation of the security vulnerability compromises the confidentiality of the targeted system. At the time of advisory publication no public exploitation of this security vulnerability was known. | |||||
| CVE-2020-1905 | 1 Whatsapp | 1 Whatsapp | 2020-10-13 | 4.3 MEDIUM | 3.3 LOW |
| Media ContentProvider URIs used for opening attachments in other apps were generated sequentially prior to WhatsApp for Android v2.20.185, which could have allowed a malicious third party app chosen to open the file to guess the URIs for previously opened attachments until the opener app is terminated. | |||||
| CVE-2019-0007 | 1 Juniper | 17 Junos, Mx10, Mx10003 and 14 more | 2020-08-24 | 7.5 HIGH | 10.0 CRITICAL |
| The vMX Series software uses a predictable IP ID Sequence Number. This leaves the system as well as clients connecting through the device susceptible to a family of attacks which rely on the use of predictable IP ID sequence numbers as their base method of attack. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F5 on vMX Series. | |||||
| CVE-2019-11641 | 1 Anomali | 1 Agave | 2020-08-24 | 5.0 MEDIUM | 7.5 HIGH |
| Anomali Agave (formerly Drupot) through 1.0.0 fails to avoid fingerprinting by including predictable data and minimal variation in size within HTML templates, giving attackers the ability to detect and avoid this system. | |||||
| CVE-2019-12434 | 1 Gitlab | 1 Gitlab | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in GitLab Community and Enterprise Edition 10.6 through 11.11. Users could guess the URL slug of private projects through the contrast of the destination URLs of issues linked in comments. It allows Information Disclosure. | |||||
| CVE-2019-4411 | 1 Ibm | 1 Cognos Controller | 2020-08-24 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Cognos Controller 10.3.0, 10.3.1, 10.4.0, and 10.4.1 could allow an authenticated user to obtain sensitive information due to easy to guess session identifier names. IBM X-Force ID: 162658. | |||||