Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-27913

The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control This issue affects: Mautic Mautic versions prior to 3.3.4; versions prior to 4.0.0.

Published

2021-08-30T16:15:07.457

Last Modified

2024-11-21T05:58:47.220

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-327
Type: Primary
CWE-338

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	acquia	mautic	< 3.3.4	Yes
Application	acquia	mautic	4.0.0	Yes
Application	acquia	mautic	4.0.0	Yes
Application	acquia	mautic	4.0.0	Yes

References

https://github.com/mautic/mautic/security/advisories/GHSA-x7g2-wrrp-r6h3 Exploit, Patch, Third Party Advisory ([email protected])
https://github.com/mautic/mautic/security/advisories/GHSA-x7g2-wrrp-r6h3 Exploit, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)