280 matches found
CVE-2025-68932
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators mtrand and uniqid to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to...
FreshRSS 安全特征问题漏洞
FreshRSS is a free, self-hosted RSS aggregator from FreshRSS Open Source. A security feature issue vulnerability exists in FreshRSS versions prior to 1.28.0 that stems from the use of a weak random number generator to generate session tokens, which could lead to account takeover...
When RSA Fails: Exploiting Prime Selection Vulnerabilities in Public Key Cryptography
This paper explores vulnerabilities in RSA cryptosystems that arise from improper prime number selection during key generation. We examine two primary attack vectors: Fermat's factorization method, which exploits RSA keys generated with primes that are too close together, and the Greatest Common...
CVE-2025-68932
FreshRSS suffers from weak cryptographic randomness used to generate remember-me tokens and challenge-response nonces prior to version 1.28.0, enabling potential prediction of valid session tokens and persistent session hijacking leading to account takeover. The issue affects versions before 1.28...
CVE-2025-68932 FreshRSS has weak cryptographic randomness in remember-me token and nonce generation
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators mtrand and uniqid to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to...
CVE-2025-68932 FreshRSS has weak cryptographic randomness in remember-me token and nonce generation
FreshRSS is a free, self-hostable RSS aggregator. Prior to version 1.28.0, FreshRSS uses cryptographically weak random number generators mtrand and uniqid to generate remember-me authentication tokens and challenge-response nonces. This allows attackers to predict valid session tokens, leading to...
Johnson Controls IQ series和Johnson Controls PowerG 安全漏洞
The Johnson Controls IQ series and Johnson Controls PowerG are both products of Johnson Controls, Inc.The Johnson Controls IQ series is a series of intelligent security and automation control platforms.The Johnson Johnson Controls PowerG is a communications device. A security vulnerability exists...
CVE-2025-54981
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...
PT-2025-51054
The Login Lockdown & Protection plugin for WordPress is vulnerable to IP Block Bypass in all versions up to, and including, 2.14. This is due to $unblock key key being insufficiently random allowing unauthenticated users, with access to an administrative user email, to generate valid unblock keys...
PT-2025-50940
Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before 2.1.7. Users are...
CVE-2025-67504 WBCE CMS has Weak Random Number Generator in Password Generation Function
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword to create passwords using PHP's rand. rand is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege...
CVE-2025-67504 WBCE CMS has Weak Random Number Generator in Password Generation Function
WBCE CMS is a content management system. Versions 1.6.4 and below use function GenerateRandomPassword to create passwords using PHP's rand. rand is not cryptographically secure, which allows password sequences to be predicted or brute-forced. This can lead to user account compromise or privilege...
AlmaLinux 9 : bind9.18 (ALSA-2025:21111)
The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:21111 advisory. bind: Cache poisoning attacks with unsolicited RRs CVE-2025-40778 bind: Cache poisoning due to weak PRNG CVE-2025-40780 bind: Resource exhaustion via...
CVE-2025-59390
Apache Druid’s Kerberos authenticator uses a weak fallback secret when the druid.auth.authenticator.kerberos.cookieSignatureSecret configuration is not explicitly set. In this case, the secret is generated using ThreadLocalRandom, which is not a crypto-graphically secure random number generator...
EUVD-2025-199714
Apache Druid’s Kerberos authenticator uses a weak fallback secret...
CVE-2025-59390
Apache Druid’s Kerberos authenticator is affected. If the configuration druid.auth.authenticator.kerberos.cookieSignatureSecret is not set, a weak fallback secret is generated with ThreadLocalRandom, which is not cryptographically secure. This can allow an attacker to predict or brute‑force the c...
librnp: Weak random number generation
Background librnp is a high performance C++ OpenPGP library. Description The affected librnp version generated weak session keys for its public key encryption PKESK mode. Impact Messages encrypted using the affected librnp version might be readable by an attacker with just the public key...
GLSA-202511-07 : librnp: Weak random number generation
The remote host is affected by the vulnerability described in GLSA-202511-07 librnp: Weak random number generation The affected librnp version generated weak session keys for its public key encryption PKESK mode. Tenable has extracted the preceding description block directly from the Gentoo Linux...
SUSE-SU-2025:4222-1 Security update for bind
This update for bind fixes the following issues: - CVE-2025-40778: Address various spoofing attacks bsc1252379. - CVE-2025-40780: Cache-poisoning due to weak pseudo-random number generator bsc1252380...
AlmaLinux 10 : bind (ALSA-2025:21034)
The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:21034 advisory. bind: Cache poisoning attacks with unsolicited RRs CVE-2025-40778 bind: Cache poisoning due to weak PRNG CVE-2025-40780 bind: Resource exhaustion via...