CVE-2021-27913

Exploit

EPSS 0.09%
Published 30.08.2021 16:15:07
Last modified 21.11.2024 05:58:47
Source security@mautic.org
Teams watchlist Login
Open Login

The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control This issue affects: Mautic Mautic versions prior to 3.3.4; versions prior to 4.0.0.

Affected products Warnungen 0 Metrics 4 CWE 2 References 4

Data is provided by the National Vulnerability Database (NVD)

Acquia ≫ Mautic Version < 3.3.4

Acquia ≫ Mautic Version4.0.0 Updatealpha1

Acquia ≫ Mautic Version4.0.0 Updatebeta

Acquia ≫ Mautic Version4.0.0 Updaterc

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.226

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:P/I:N/A:N
security@mautic.org	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

https://github.com/mautic/mautic/security/advisories/GHSA-x7g2-wrrp-r6h3

Patch

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2021-27913

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-27913

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-27913

EUVD