6.5

CVE-2024-38270

An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZyxelGs1900-48hpv2 Firmware Version < 2.80\(abtq.1\)c0
   ZyxelGs1900-48hpv2 Version-
ZyxelGs1900-48 Firmware Version < 2.80\(aahn.1\)c0
   ZyxelGs1900-48 Version-
ZyxelGs1900-24hpv2 Firmware Version < 2.80\(abtp.1\)c0
   ZyxelGs1900-24hpv2 Version-
ZyxelGs1900-24ep Firmware Version < 2.80\(abto.1\)c0
   ZyxelGs1900-24ep Version-
ZyxelGs1900-24e Firmware Version <= 2.80\(aahk.1\)c0
   ZyxelGs1900-24e Version-
ZyxelGs1900-24 Firmware Version <= 2.80\(aahl.1\)c0
   ZyxelGs1900-24 Version-
ZyxelGs1900-16 Firmware Version < 2.80\(aahj.1\)c0
   ZyxelGs1900-16 Version-
ZyxelGs1900-10hp Firmware Version < 2.80\(aazi.1\)c0
   ZyxelGs1900-10hp Version-
ZyxelGs1900-8hp Firmware Version < 2.80\(aahi.1\)c0
   ZyxelGs1900-8hp Version-
ZyxelGs1900-8 Firmware Version < 2.80\(aahh.1\)c0
   ZyxelGs1900-8 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.05% 0.155
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security@zyxel.com.tw 5.3 1.6 3.6
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-331 Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.