Total
254 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34353 | 1 Openautomationsoftware | 1 Oas Platform | 2023-12-10 | N/A | 7.5 HIGH |
| An authentication bypass vulnerability exists in the OAS Engine authentication functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted network sniffing can lead to decryption of sensitive information. An attacker can sniff network traffic to trigger this vulnerability. | |||||
| CVE-2023-4344 | 1 Broadcom | 1 Raid Controller Web Interface | 2023-12-10 | N/A | 9.8 CRITICAL |
| Broadcom RAID Controller web interface is vulnerable to insufficient randomness due to improper use of ssl.rnd to setup CIM connection | |||||
| CVE-2023-41879 | 1 Openmage | 1 Magento | 2023-12-10 | N/A | 7.5 HIGH |
| Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1. | |||||
| CVE-2023-3373 | 1 Mitsubishielectric | 4 Gs21, Gs21 Firmware, Gt21 and 1 more | 2023-12-10 | N/A | 9.1 CRITICAL |
| Predictable Exact Value from Previous Values vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT21 model versions 01.49.000 and prior and GOT SIMPLE Series GS21 model versions 01.49.000 and prior allows a remote unauthenticated attacker to hijack data connections (session hijacking) or prevent legitimate users from establishing data connections (to cause DoS condition) by guessing the listening port of the data connection on FTP server and connecting to it. | |||||
| CVE-2023-31147 | 2 C-ares Project, Fedoraproject | 2 C-ares, Fedora | 2023-12-10 | N/A | 6.5 MEDIUM |
| c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. | |||||
| CVE-2023-0343 | 1 Akuvox | 2 E11, E11 Firmware | 2023-12-10 | N/A | 7.5 HIGH |
| Akuvox E11 contains a function that encrypts messages which are then forwarded. The IV vector and the key are static, and this may allow an attacker to decrypt messages. | |||||
| CVE-2023-1898 | 1 Atlascopco | 2 Power Focus 6000, Power Focus 6000 Firmware | 2023-12-10 | N/A | 7.5 HIGH |
| Atlas Copco Power Focus 6000 web server uses a small amount of session ID numbers. An attacker could enter a session ID number to retrieve data for an active user’s session. | |||||
| CVE-2022-43485 | 1 Honeywell | 2 Onewireless Network Wireless Device Manager, Onewireless Network Wireless Device Manager Firmware | 2023-12-10 | N/A | 6.5 MEDIUM |
| Use of Insufficiently Random Values in Honeywell OneWireless. This vulnerability may allow attacker to manipulate claims in client's JWT token. This issue affects OneWireless version 322.1 | |||||
| CVE-2023-26855 | 1 Churchcrm | 1 Churchcrm | 2023-12-10 | N/A | 7.5 HIGH |
| The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords. | |||||
| CVE-2023-30797 | 1 Netflix | 1 Lemur | 2023-12-10 | N/A | 7.5 HIGH |
| Netflix Lemur before version 1.3.2 used insufficiently random values when generating default credentials. The insufficiently random values may allow an attacker to guess the credentials and gain access to resources managed by Lemur. | |||||
| CVE-2023-1385 | 2 Amazon, Bestbuy | 3 Fire Os, Fire Tv Stick 3rd Gen, Insignia Tv | 2023-12-10 | N/A | 8.8 HIGH |
| Improper JPAKE implementation allows offline PIN brute-forcing due to the initialization of random values to a known value, which leads to unauthorized authentication to amzn.lightning services. This issue affects: Amazon Fire TV Stick 3rd gen versions prior to 6.2.9.5. Insignia TV with FireOS 7.6.3.3. | |||||
| CVE-2023-31124 | 2 C-ares Project, Fedoraproject | 2 C-ares, Fedora | 2023-12-10 | N/A | 3.7 LOW |
| c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1. | |||||
| CVE-2022-43636 | 1 Tp-link | 2 Tl-wr940n, Tl-wr940n Firmware | 2023-12-10 | N/A | 8.8 HIGH |
| This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of TP-Link TL-WR940N 6_211111 3.20.1(US) routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of sufficient randomness in the sequnce numbers used for session managment. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-18334. | |||||
| CVE-2020-36732 | 1 Crypto-js Project | 1 Crypto-js | 2023-12-10 | N/A | 5.3 MEDIUM |
| The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary. | |||||
| CVE-2023-2884 | 1 Cbot | 2 Cbot Core, Cbot Panel | 2023-12-10 | N/A | 9.8 CRITICAL |
| Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability in CBOT Chatbot allows Signature Spoofing by Key Recreation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. | |||||
| CVE-2023-22746 | 1 Okfn | 1 Ckan | 2023-12-10 | N/A | 7.5 HIGH |
| CKAN is an open-source DMS (data management system) for powering data hubs and data portals. When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the `.env` file, that key was shared across different CKAN instances, making it easy to forge authentication requests. Users overriding the default secret key in their own `.env` file are not affected by this issue. Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue. The affected images are ckan/ckan-docker, (ckan/ckan-base images), okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images) keitaroinc/docker-ckan (keitaro/ckan images). | |||||
| CVE-2022-43501 | 1 Elwsc | 4 Kasago Ipv4, Kasago Ipv4 Light, Kasago Ipv6\/v4 Dual and 1 more | 2023-12-10 | N/A | 9.1 CRITICAL |
| KASAGO TCP/IP stack provided by Zuken Elmic generates ISNs(Initial Sequence Number) for TCP connections from an insufficiently random source. An attacker may be able to determine the ISN of the current or future TCP connections and either hijack existing ones or spoof future ones. | |||||
| CVE-2021-4248 | 1 Kapetan Dns Project | 1 Kapetan Dns | 2023-12-10 | N/A | 9.8 CRITICAL |
| A vulnerability was found in kapetan dns up to 6.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file DNS/Protocol/Request.cs. The manipulation leads to insufficient entropy in prng. The attack may be launched remotely. Upgrading to version 7.0.0 is able to address this issue. The name of the patch is cf7105aa2aae90d6656088fe5a8ee1d5730773b6. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216188. | |||||
| CVE-2017-5242 | 1 Rapid7 | 1 Insightvm | 2023-12-10 | N/A | 7.7 HIGH |
| Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots. | |||||
| CVE-2022-39216 | 1 Combodo | 1 Itop | 2023-12-10 | N/A | 9.8 CRITICAL |
| Combodo iTop is an open source, web-based IT service management platform. Prior to versions 2.7.8 and 3.0.2-1, the reset password token is generated without any randomness parameter. This may lead to account takeover. The issue is fixed in versions 2.7.8 and 3.0.2-1. | |||||