192 matches found
CVE-2021-36171
The use of a cryptographically weak pseudo-random number generator in the password reset feature of FortiPortal before 6.0.6 may allow a remote unauthenticated attacker to predict parts of or the whole newly generated password within a given time frame...
GHSA-75V8-2H7P-7M2M Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
Formidable aka node-formidable 2.x before 2.1.3 and 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." Also, there is a scenario in which only the last two characters of a hexoid...
OPENSUSE-SU-2025:0123-1 Security update for perl-Data-Entropy
This update for perl-Data-Entropy fixes the following issues: Updated to 0.8.0 0.008: see /usr/share/doc/packages/perl-Data-Entropy/Changes Version 0.008; 2025-03-27: Use Crypt::URandom to seed the default algorithm with cryptographically secure random bytes instead of the builtin rand function...
DEBIAN-CVE-2025-1860
Data::Entropy for Perl 0.007 and earlier use the rand function as the default source of entropy, which is not cryptographically secure, for cryptographic functions...
GHSA-237R-R8M4-4Q88 Guzzle OAuth Subscriber has insufficient nonce entropy
Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.phpL192. This can leave servers vulnerable to replay attacks when TLS is not used. Patches Upgrade to version 0.8.1 or higher...
PT-2025-4478 · Unknown +1 · Net::Oauth +1
Name of the Vulnerable Software and Affected Versions: Net::OAuth versions prior to 0.29 Description: The default nonce in Net::OAuth::Client is a 32-bit integer generated from the built-in rand function, which is not cryptographically strong. This weakness can be exploited due to the use of a...
GHSA-6943-QR24-82VX sftpgo vulnerable to brute force takeover of OpenID Connect session cookies
Impact The OpenID Connect implementation, in the affected SFTPGo versions, allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are generated predictably using the xid library and are therefore unique but not cryptographically...
CVE-2024-52801
sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are...
CVE-2024-52801 Brute force takeover of OpenID Connect session cookies in sftpgo
sftpgo is a full-featured and highly configurable event-driven file transfer solution. Server protocols: SFTP, HTTP/S, FTP/S, WebDAV. The OpenID Connect implementation allows authenticated users to brute force session cookies and thereby gain access to other users' data, since the cookies are...
Fedora 41 : aws (2024-7908ee39a9)
The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-7908ee39a9 advisory. CVE-2024-41708: Ada Web Server did not use a cryptographically secure pseudorandom number generator. AWS.Utils.Random and AWS.Utils.RandomString used...
Fedora: Security Advisory (FEDORA-2024-63f98f8c60)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora: Security Advisory (FEDORA-2024-d940f25a53)
The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Fedora 40 : aws (2024-63f98f8c60)
The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-63f98f8c60 advisory. CVE-2024-41708: Ada Web Server did not use a cryptographically secure pseudorandom number generator. AWS.Utils.Random and AWS.Utils.RandomString used...
CVE-2024-42475 OAuth library for nim allows insecure generation of state values by generateState - entropy too low and uses regular PRNG instead of CSPRNG
In the OAuth library for nim prior to version 0.11, the state values generated by the generateState function do not have sufficient entropy. These can be successfully guessed by an attacker allowing them to perform a CSRF vs a user, associating the user's session with the attacker's protected...
GHSA-CF3Q-VG8W-MW84 Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Use of Cryptographically Weak Pseudo-Random Number Generator PRNG vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue...
CVE-2024-29868
Use of Cryptographically Weak Pseudo-Random Number Generator PRNG vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue...
CVE-2024-29868
Use of Cryptographically Weak Pseudo-Random Number Generator PRNG vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue...
CVE-2024-29868 Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation
Use of Cryptographically Weak Pseudo-Random Number Generator PRNG vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue...
CVE-2024-24553
Bludit uses the SHA-1 hashing algorithm to compute password hashes. Thus, attackers could determine cleartext passwords with brute-force attacks due to the inherent speed of SHA-1. In addition, the salt that is computed by Bludit is generated with a non-cryptographically secure function...
CVE-2024-24553
CVE-2024-24553 relates to Bludit, where password hashes are computed with SHA-1 and the salt is generated by a non-cryptographically secure function. Attackers could brute-force SHA-1 to recover plaintext passwords, per the description in multiple sources. The connected documents consistently des...