Vulnerabilities (CVE)

Filtered by CWE-338
Total 97 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-14480 1 Adremsoft 1 Netcrunch 2024-02-28 7.5 HIGH 9.8 CRITICAL
AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerability in the NetCrunch web client, which can lead to an authentication bypass or escalation of privileges.
CVE-2020-10560 1 Opensource-socialnetwork 1 Open Source Social Network 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in Open Source Social Network (OSSN) through 5.3. A user-controlled file path with a weak cryptographic rand() can be used to read any file with the permissions of the webserver. This can lead to further compromise. The attacker must conduct a brute-force attack against the SiteKey to insert into a crafted URL for components/OssnComments/ossn_com.php and/or libraries/ossn.lib.upgrade.php.
CVE-2019-10754 1 Apereo 1 Central Authentication Service 2024-02-28 5.5 MEDIUM 8.1 HIGH
Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes use of apache commons-lang3 RandomStringUtils for token and ID generation which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong.
CVE-2019-8113 1 Magento 1 Magento 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1 uses cryptographically weak random number generator to brute-force the confirmation code for customer registration.
CVE-2019-10755 1 Pac4j 1 Pac4j 2024-02-28 4.0 MEDIUM 4.9 MEDIUM
The SAML identifier generated within SAML2Utils.java was found to make use of the apache commons-lang3 RandomStringUtils class which makes them predictable due to RandomStringUtils PRNG's algorithm not being cryptographically strong. This issue only affects the 3.X release of pac4j-saml.
CVE-2019-19794 1 Miekg-dns Project 1 Miekg-dns 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVE-2015-9435 1 Dash10 1 Oauth Server 2024-02-28 7.5 HIGH 9.8 CRITICAL
The oauth2-provider plugin before 3.1.5 for WordPress has incorrect generation of random numbers.
CVE-2012-6124 1 Call-cc 1 Chicken 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
A casting error in Chicken before 4.8.0 on 64-bit platform caused the random number generator to return a constant value. NOTE: the vendor states "This function wasn't used for security purposes (and is advertised as being unsuitable)."
CVE-2019-7855 1 Magento 1 Magento 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
A cryptograhic flaw in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 could be abused by an unauthenticated user to discover an invariant used in gift card generation.
CVE-2019-5440 1 Revive-adserver 1 Revive Adserver 2024-02-28 6.8 MEDIUM 8.1 HIGH
Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver < v4.2.1 causes a potential authentication bypass attack if an attacker exploits the password recovery functionality. In lib/OA/Dal/PasswordRecovery.php, the function generateRecoveryId() generates a password reset token that relies on the PHP uniqid function and consequently depends only on the current server time, which is often visible in an HTTP Date header.
CVE-2019-7860 1 Magento 1 Magento 2024-02-28 5.0 MEDIUM 7.5 HIGH
A cryptographically weak pseudo-rando number generator is used in multiple security relevant contexts in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.
CVE-2019-11808 1 Ratpack Project 1 Ratpack 2024-02-28 4.3 MEDIUM 3.7 LOW
Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.
CVE-2019-11842 1 Matrix 2 Sydent, Synapse 2024-02-28 5.0 MEDIUM 7.5 HIGH
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.
CVE-2019-16303 1 Jhipster 2 Jhipster, Jhipster Kotlin 2024-02-28 7.5 HIGH 9.8 CRITICAL
A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover.
CVE-2018-12885 1 Mycryptochamp 1 Mycryptochamp 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
The randMod() function of the smart contract implementation for MyCryptoChamp, an Ethereum game, generates a random value with publicly readable variables such as the current block information and a private variable, (which can be read with a getStorageAt call). Therefore, attackers can get powerful champs/items and get rewards.
CVE-2018-14715 1 Cryptogs 1 Cryptogs 2024-02-28 5.0 MEDIUM 7.5 HIGH
The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game.
CVE-2018-12056 1 All-for-one 1 All For One 2024-02-28 5.0 MEDIUM 7.5 HIGH
The maxRandom function of a smart contract implementation for All For One, an Ethereum gambling game, generates a random value with publicly readable variables because the _seed value can be retrieved with a getStorageAt call. Therefore, it allows attackers to always win and get rewards.
CVE-2018-11290 1 Qualcomm 54 Mdm9206, Mdm9206 Firmware, Mdm9607 and 51 more 2024-02-28 5.0 MEDIUM 7.5 HIGH
In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA6574AU, QCA6584, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 650/52, SD 820A, SD 845, SDM429, SDM439, SDM630, SDM632, SDM636, SDM660, SDX20, Snapdragon_High_Med_2016, MAC address randomization performed during probe requests is not done properly due to a flawed RNG in use.
CVE-2018-17968 1 Ruletkaio 1 Ruletkaio 2024-02-28 5.0 MEDIUM 7.5 HIGH
A gambling smart contract implementation for RuletkaIo, an Ethereum gambling game, generates a random value that is predictable by an external contract call. The developer wrote a random() function that uses a block timestamp and block hash from the Ethereum blockchain. This can be predicted by writing the same random function code in an exploit contract to determine the deadSeat value.
CVE-2018-15552 1 Theethereumlottery 1 The Ethereum Lottery 2024-02-28 5.0 MEDIUM 7.5 HIGH
The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards.