CVE-2013-7464

In csrf-magic before 1.0.4, if $GLOBALS'csrf''secret' is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used...

Cross site request forgery (csrf)

In csrf-magic before 1.0.4, if $GLOBALS'csrf''secret' is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used...

CVE-2013-7464

In csrf-magic before 1.0.4, if $GLOBALS'csrf''secret' is not configured, the Anti-CSRF Token used is predictable and would permit an attacker to bypass the CSRF protections, because an automatically generated secret is not used...

Code injection

The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game...

CVE-2018-14715

The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game...

CVE-2018-14715

The endCoinFlip function and throwSlammer function of the smart contract implementations for Cryptogs, an Ethereum game, generate random numbers with an old block's hash. Therefore, attackers can predict the random number and always win the game...

Security Bulletin: node-uuid unsafe fallback to Math.random affects IBM Rational Application Developer for WebSphere Software included in Rational Developer for i and Rational Developer for AIX and Linux (CVE-2015-8851)

Summary Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i RPG and COBOL + Modernization Tools, Java and EGL editions, and Rational Developer for AIX and Linux. A vulnerability in the node-uuid module causes the module to...

Cross site request forgery (csrf)

Grundig Smart Inter@ctive TV 3.0 devices allow CSRF attacks via a POST request to TCP port 8085 containing a predictable ID value, as demonstrated by a /sendrcpackage?keyid=-2544&keysymbol=-4081 request to shut off the device...

Attack on Pseudo-random number generator (PRNG) used in 1000 Guess, an Ethereum lottery game. (CVE-2018–12454)

Abstract An Ethereum lottery game, 1000 Guess, has a vulnerability that it generates random numbers predictable by anyone. This game decides a winner by a random number when the number of players who bet on the contract reaches to the predetermined number. The contract generates the random number...

CVE-2018-12103

An issue was discovered on D-Link DIR-890L with firmware 1.21B02beta01 and earlier, DIR-885L/R with firmware 1.21B03beta01 and earlier, and DIR-895L/R with firmware 1.21B04beta04 and earlier devices all hardware revisions. Due to the predictability of the /docs/captchanumber.jpeg URI, being local...

UBUNTU-CVE-2018-12520

An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard...

D-Link DIR-890L A2 Improper Access Control Vulnerability

D-Link DIR-890L is a wireless router product from AUO D-Link. The D-Link DIR-890L A2 suffers from an Improper Access Control vulnerability that, due to the predictability of the /docs/captchanumber.jpeg URI, allows an attacker to disclose the CAPTCHA used by the access point and optionally load t...

Security Bulletin: Vulnerabilities in Python affect PowerKVM (CVE-2013-5123, CVE-2014-8991)

Summary PowerKVM is affected by two vulnerabilities in Python. These vulnerabilities are now fixed. Vulnerability Details CVEID: CVE-2013-5123 DESCRIPTION: Python pip could allow a remote attacker to bypass security restrictions, caused by the implementation of the mirroring support without...

Security Bulletin: The IBM FlashSystem V840 product model numbers AC0 and AC1 nodes are affected by vulnerabilities in Apache’s Struts library (CVE-2014-7809)

Summary Apache Struts could potentially allow a remote attacker to bypass security restrictions, caused by predictable tokens. Vulnerability Details CVEID: CVE-2014-7809 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By...

Security Bulletin: node-uuid unsafe fallback to Math.random (CVE-2015-8851)

Summary A vulnerability in the node-uuid module causes the module to fallback on math.random under certain circumstances, which leads to predictable UUIDs. The node-uuid module is used by the Node.js Package Manager npm. Vulnerability Details CVEID: CVE-2015-8851 DESCRIPTION: node.js node-uuid...

Security Bulletin: Vulnerabilities in the GSKit component of Transformation Extender (CVE-2016-0201, CVE-2015-7421, CVE-2015-7420)

Summary Vulnerabilities have been addressed in the GSKit component of Transformation Extender. Vulnerability Details CVEID: CVE-2016-0201 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a MD5 collision. An attacker could exploit this vulnerability t...

Security Bulletin: Vulnerabilities in GSKit affect IBM WebSphere MQ (CVE-2015-7421, CVE-2015-7420)

Summary Vulnerabilities were discovered in GSKit. IBM WebSphere MQ uses GSKit and addressed the applicable CVE. Vulnerability Details CVEID: CVE-2015-7421 DESCRIPTION: A vulnerability in GSKit could allow a remote attacker to obtain sensitive information. The internal ICC PRNG pool state is...

Security Bulletin: IBM WebSphere MQIPT Session IDs are predictable (CVE-2015-0173)

Summary The MQIPT Session IDs for HTTP communication that are generated by MQIPT V2.0 and later are predictable. Vulnerability Details CVEID: CVE-2015-0173 DESCRIPTION: IBM WebSphere MQ Internet Pass-Thru HTTP connection management contains a security flaw which could allow interception of MQ...

Updated qtpass packages fix security vulnerability

All passwords generated with QtPass' built-in password generator prior to 1.2.1 are possibly predictable and enumerable by hackers...

CVE-2017-16031

Socket.io is a realtime application framework that provides communication via websockets. Because socket.io 0.9.6 and earlier depends on Math.random to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtainin...