CVE-2024-52322

WebService::Xero 0.11 and earlier for Perl uses the rand function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. Specifically WebService::Xero uses the Data::Random library which specifically states that it is "Useful mostly for test programs...

CVE-2024-57868

CVE-2024-57868 affects Web::API 2.8 and earlier for Perl. The root cause is use of rand() as the default entropy source via Data::Random, which is not cryptographically secure, for cryptographic functions. This is stated in the CVE description and supported by references to Data::Random and rand(...

GHSA-2FRX-2596-X5R6 gitoxide does not detect SHA-1 collision attacks

Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. Details gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct G...

gitoxide does not detect SHA-1 collision attacks

Summary gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. Details gitoxide uses the sha1smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct G...

Design/Logic Flaw

An issue was discovered in dotCMS core 5.3.8.5 through 5.3.8.15 and 21.03 through 22.10.1. A cryptographically insecure random generation algorithm for password-reset token generation leads to account takeover...