Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27791 | 1 Ixpdata | 1 Easyinstall | 2023-10-25 | N/A | 8.1 HIGH |
| An issue found in IXP Data Easy Install 6.6.148840 allows a remote attacker to escalate privileges via insecure PRNG. | |||||
| CVE-2023-39910 | 1 Libbitcoin | 1 Libbitcoin Explorer | 2023-08-22 | N/A | 7.5 HIGH |
| The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from "bx seed" entropy output and steal funds. (Affected users need to move funds to a secure new cryptocurrency wallet.) NOTE: the vendor's position is that there was sufficient documentation advising against "bx seed" but others disagree. NOTE: this was exploited in the wild in June and July 2023. | |||||
| CVE-2021-23126 | 1 Joomla | 1 Joomla\! | 2023-08-08 | 5.0 MEDIUM | 5.3 MEDIUM |
| An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of the insecure rand() function within the process of generating the 2FA secret. | |||||
| CVE-2021-45484 | 1 Netbsd | 1 Netbsd | 2023-08-08 | 5.0 MEDIUM | 7.5 HIGH |
| In NetBSD through 9.2, the IPv6 fragment ID generation algorithm employs a weak cryptographic PRNG. | |||||
| CVE-2023-2884 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2023-08-02 | N/A | 9.8 CRITICAL |
| Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability in CBOT Chatbot allows Signature Spoofing by Key Recreation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
| CVE-2023-36993 | 1 Travianz Project | 1 Travianz | 2023-07-13 | N/A | 9.8 CRITICAL |
| The cryptographically insecure random number generator being used in TravianZ 8.3.4 and 8.3.3 in the password reset function allows an attacker to guess the password reset.parameters and to take over accounts. | |||||
| CVE-2021-22948 | 1 Revive-adserver | 1 Revive Adserver | 2023-06-30 | 4.3 MEDIUM | 7.1 HIGH |
| Vulnerability in the generation of session IDs in revive-adserver < 5.3.0, based on the cryptographically insecure uniqid() PHP function. Under some circumstances, an attacker could theoretically be able to brute force session IDs in order to take over a specific account. | |||||
| CVE-2023-32549 | 1 Canonical | 1 Landscape | 2023-06-16 | N/A | 7.5 HIGH |
| Landscape cryptographic keys were insecurely generated with a weak pseudo-random generator. | |||||
| CVE-2023-28835 | 1 Nextcloud | 1 Nextcloud Server | 2023-04-07 | N/A | 7.5 HIGH |
| Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade. | |||||
| CVE-2023-24828 | 1 Onedev Project | 1 Onedev | 2023-02-16 | N/A | 8.8 HIGH |
| Onedev is a self-hosted Git Server with CI/CD and Kanban. In versions prior to 7.9.12 the algorithm used to generate access token and password reset keys was not cryptographically secure. Existing normal users (or everyone if it allows self-registration) may exploit this to elevate privilege to obtain administrator permission. This issue is has been addressed in version 7.9.12. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-23472 | 1 Passeo Project | 1 Passeo | 2022-12-08 | N/A | 7.5 HIGH |
| Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-40769 | 1 Profanity Project | 1 Profanity | 2022-09-21 | N/A | 7.5 HIGH |
| profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022. | |||||
| CVE-2022-36045 | 1 Nodebb | 1 Nodebb | 2022-09-06 | N/A | 9.8 CRITICAL |
| NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. It utilizes web sockets for instant interactions and real-time notifications. `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (`Math.random()`), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to. This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the involvement of the victim, and as such, the remediation should be applied immediately (either via NodeBB upgrade or cherry-pick of the specific changeset. The vulnerability has been patched in version 2.x and 1.19.x. There is no known workaround, but the patch sets listed above will fully patch the vulnerability. | |||||
| CVE-2022-33738 | 1 Openvpn | 1 Openvpn Access Server | 2022-07-15 | 5.0 MEDIUM | 7.5 HIGH |
| OpenVPN Access Server before 2.11 uses a weak random generator used to create user session token for the web portal | |||||
| CVE-2022-26779 | 1 Apache | 1 Cloudstack | 2022-03-22 | 4.6 MEDIUM | 7.5 HIGH |
| Apache CloudStack prior to 4.16.1.0 used insecure random number generation for project invitation tokens. If a project invite is created based only on an email address, a random token is generated. An attacker with knowledge of the project ID and the fact that the invite is sent, could generate time deterministic tokens and brute force attempt to use them prior to the legitimate receiver accepting the invite. This feature is not enabled by default, the attacker is required to know or guess the project ID for the invite in addition to the invitation token, and the attacker would need to be an existing authorized user of CloudStack. | |||||
| CVE-2021-36171 | 1 Fortinet | 1 Fortiportal | 2022-03-09 | 6.8 MEDIUM | 8.1 HIGH |
| The use of a cryptographically weak pseudo-random number generator in the password reset feature of FortiPortal before 6.0.6 may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame. | |||||
| CVE-2013-20003 | 1 Silabs | 10 Zgm130s037hgn, Zgm130s037hgn Firmware, Zgm2305a27hgn and 7 more | 2022-02-09 | 7.9 HIGH | 8.3 HIGH |
| Z-Wave devices from Sierra Designs (circa 2013) and Silicon Labs (using S0 security) may use a known, shared network key of all zeros, allowing an attacker within radio range to spoof Z-Wave traffic. | |||||
| CVE-2021-43799 | 1 Zulip | 1 Zulip | 2022-02-02 | 5.0 MEDIUM | 9.8 CRITICAL |
| Zulip is an open-source team collaboration tool. Zulip Server installs RabbitMQ for internal message passing. In versions of Zulip Server prior to 4.9, the initial installation (until first reboot, or restart of RabbitMQ) does not successfully limit the default ports which RabbitMQ opens; this includes port 25672, the RabbitMQ distribution port, which is used as a management port. RabbitMQ's default "cookie" which protects this port is generated using a weak PRNG, which limits the entropy of the password to at most 36 bits; in practicality, the seed for the randomizer is biased, resulting in approximately 20 bits of entropy. If other firewalls (at the OS or network level) do not protect port 25672, a remote attacker can brute-force the 20 bits of entropy in the "cookie" and leverage it for arbitrary execution of code as the rabbitmq user. They can also read all data which is sent through RabbitMQ, which includes all message traffic sent by users. Version 4.9 contains a patch for this vulnerability. As a workaround, ensure that firewalls prevent access to ports 5672 and 25672 from outside the Zulip server. | |||||
| CVE-2021-45489 | 1 Netbsd | 1 Netbsd | 2022-01-10 | 5.0 MEDIUM | 7.5 HIGH |
| In NetBSD through 9.2, the IPv6 Flow Label generation algorithm employs a weak cryptographic PRNG. | |||||
| CVE-2021-3990 | 1 Showdoc | 1 Showdoc | 2021-12-02 | 4.3 MEDIUM | 6.5 MEDIUM |
| showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | |||||