Total
254 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2008-4905 | 1 Typosphere | 1 Typo | 2024-02-09 | 5.0 MEDIUM | 7.5 HIGH |
| Typo 5.1.3 and earlier uses a hard-coded salt for calculating password hashes, which makes it easier for attackers to guess passwords via a brute force attack. | |||||
| CVE-2008-0141 | 1 Webportal Cms Project | 1 Webportal Cms | 2024-02-09 | 7.5 HIGH | 7.5 HIGH |
| actions.php in WebPortal CMS 0.6-beta generates predictable passwords containing only the time of day, which makes it easier for remote attackers to obtain access to any account via a lostpass action. | |||||
| CVE-2024-23688 | 1 Consensys | 1 Discovery | 2024-01-26 | N/A | 5.3 MEDIUM |
| Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session. which should ideally be unique for every message. The node's private key isn't compromised, only the session key generated for specific peer communication is exposed. | |||||
| CVE-2023-20185 | 1 Cisco | 2 Nexus 9000 In Aci Mode, Nx-os | 2024-01-25 | N/A | 7.4 HIGH |
| A vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic. This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches. An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites. Cisco has not released and will not release software updates that address this vulnerability. | |||||
| CVE-2020-1472 | 8 Canonical, Debian, Fedoraproject and 5 more | 11 Ubuntu Linux, Debian Linux, Fedora and 8 more | 2024-01-19 | 9.3 HIGH | 5.5 MEDIUM |
| An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications. | |||||
| CVE-2023-26451 | 1 Open-xchange | 1 Open-xchange Appsuite Backend | 2024-01-12 | N/A | 7.5 HIGH |
| Functions with insufficient randomness were used to generate authorization tokens of the integrated oAuth Authorization Service. Authorization codes were predictable for third parties and could be used to intercept and take over the client authorization process. As a result, other users accounts could be compromised. The oAuth Authorization Service is not enabled by default. We have updated the implementation to use sources with sufficient randomness to generate authorization tokens. No publicly available exploits are known. | |||||
| CVE-2023-46740 | 1 Linuxfoundation | 1 Cubefs | 2024-01-10 | N/A | 9.8 CRITICAL |
| CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade. | |||||
| CVE-2021-38606 | 1 Yogeshojha | 1 Rengine | 2024-01-09 | 7.5 HIGH | 9.8 CRITICAL |
| reNgine through 0.5 relies on a predictable directory name. | |||||
| CVE-2023-32831 | 1 Mediatek | 12 Mt6890, Mt7612, Mt7613 and 9 more | 2024-01-05 | N/A | 5.5 MEDIUM |
| In wlan driver, there is a possible PIN crack due to use of insufficiently random values. This could lead to local information disclosure with no execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00325055; Issue ID: MSV-868. | |||||
| CVE-2023-48056 | 1 Bandoche | 1 Pypinksign | 2023-12-10 | N/A | 7.5 HIGH |
| PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications. | |||||
| CVE-2020-27630 | 1 Silabs | 1 Uc\/tcp-ip | 2023-12-10 | N/A | 9.8 CRITICAL |
| In Silicon Labs uC/TCP-IP 3.6.0, TCP ISNs are improperly random. | |||||
| CVE-2020-27636 | 1 Microchip | 1 Mplab Network Creator | 2023-12-10 | N/A | 9.1 CRITICAL |
| In Microchip MPLAB Net 3.6.1, TCP ISNs are improperly random. | |||||
| CVE-2023-39979 | 1 Moxa | 1 Mxsecurity | 2023-12-10 | N/A | 9.8 CRITICAL |
| There is a vulnerability in MXsecurity versions prior to 1.0.1 that can be exploited to bypass authentication. A remote attacker might access the system if the web service authenticator has insufficient random values. | |||||
| CVE-2023-3247 | 1 Php | 1 Php | 2023-12-10 | N/A | 4.3 MEDIUM |
| In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. | |||||
| CVE-2020-27631 | 1 Oryx-embedded | 1 Cyclonetcp | 2023-12-10 | N/A | 9.8 CRITICAL |
| In Oryx CycloneTCP 1.9.6, TCP ISNs are improperly random. | |||||
| CVE-2020-27633 | 1 Butok | 1 Fnet | 2023-12-10 | N/A | 9.1 CRITICAL |
| In FNET 4.6.3, TCP ISNs are improperly random. | |||||
| CVE-2020-27213 | 1 Ethernut | 1 Nut\/os | 2023-12-10 | N/A | 7.5 HIGH |
| An issue was discovered in Ethernut Nut/OS 5.1. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. While the ISN generator seems to adhere to RFC 793 (where a global 32-bit counter is incremented roughly every 4 microseconds), proper ISN generation should aim to follow at least the specifications outlined in RFC 6528. | |||||
| CVE-2020-27635 | 1 Capgemini | 1 Picotcp | 2023-12-10 | N/A | 9.1 CRITICAL |
| In PicoTCP 1.7.0, TCP ISNs are improperly random. | |||||
| CVE-2023-24478 | 1 Intel | 1 Quartus Prime | 2023-12-10 | N/A | 5.5 MEDIUM |
| Use of insufficiently random values for some Intel Agilex(R) software included as part of Intel(R) Quartus(R) Prime Pro Edition for linux before version 22.4 may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2020-27634 | 1 Contiki-ng | 1 Contiki-ng | 2023-12-10 | N/A | 9.1 CRITICAL |
| In Contiki 4.5, TCP ISNs are improperly random. | |||||