Total
89 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-2564 | 1 Invisioncommunity | 1 Invision Power Board | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation. | |||||
| CVE-2015-7764 | 1 Netflix | 1 Lemur | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode. | |||||
| CVE-2017-6030 | 1 Schneider-electric | 6 Modicon M221, Modicon M221 Firmware, Modicon M241 and 3 more | 2025-04-20 | 6.4 MEDIUM | 6.5 MEDIUM |
| A Predictable Value Range from Previous Values issue was discovered in Schneider Electric Modicon PLCs Modicon M221, firmware versions prior to Version 1.5.0.0, Modicon M241, firmware versions prior to Version 4.0.5.11, and Modicon M251, firmware versions prior to Version 4.0.5.11. The affected products generate insufficiently random TCP initial sequence numbers that may allow an attacker to predict the numbers from previous values. This may allow an attacker to spoof or disrupt TCP connections. | |||||
| CVE-2017-0897 | 1 Expressionengine | 1 Expressionengine | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution. | |||||
| CVE-2017-13992 | 1 Loytec | 2 Lvis-3me, Lvis-3me Firmware | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versions prior to 6.2.0. The application does not utilize sufficiently random number generation for the web interface authentication mechanism, which could allow remote code execution. | |||||
| CVE-2014-0691 | 1 Cisco | 1 Webex Meetings Server | 2025-04-20 | 5.0 MEDIUM | 7.3 HIGH |
| Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643. | |||||
| CVE-2015-3405 | 7 Debian, Fedoraproject, Ntp and 4 more | 13 Debian Linux, Fedora, Ntp and 10 more | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. | |||||
| CVE-2016-2858 | 3 Canonical, Debian, Qemu | 3 Ubuntu Linux, Debian Linux, Qemu | 2025-04-12 | 1.9 LOW | 6.5 MEDIUM |
| QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. | |||||
| CVE-2021-4238 | 1 Goutils Project | 1 Goutils | 2025-04-11 | N/A | 9.1 CRITICAL |
| Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions. | |||||
| CVE-2008-1447 | 6 Canonical, Cisco, Debian and 3 more | 8 Ubuntu Linux, Ios, Debian Linux and 5 more | 2025-04-09 | 5.0 MEDIUM | 6.8 MEDIUM |
| The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." | |||||
| CVE-2008-2108 | 4 Canonical, Debian, Fedoraproject and 1 more | 4 Ubuntu Linux, Debian Linux, Fedora and 1 more | 2025-04-09 | 7.5 HIGH | 9.8 CRITICAL |
| The GENERATE_SEED macro in PHP 4.x before 4.4.8 and 5.x before 5.2.5, when running on 64-bit systems, performs a multiplication that generates a portion of zero bits during conversion due to insufficient precision, which produces 24 bits of entropy and simplifies brute force attacks against protection mechanisms that use the rand and mt_rand functions. | |||||
| CVE-2001-0950 | 1 Valicert | 1 Enterprise Validation Authority | 2025-04-03 | 7.5 HIGH | 7.5 HIGH |
| ValiCert Enterprise Validation Authority (EVA) Administration Server 3.3 through 4.2.1 uses insufficiently random data to (1) generate session tokens for HSMs using the C rand function, or (2) generate certificates or keys using /dev/urandom instead of another source which blocks when the entropy pool is low, which could make it easier for local or remote attackers to steal tokens or certificates via brute force guessing. | |||||
| CVE-2025-29311 | 1 Opennetworking | 1 Onos | 2025-04-01 | N/A | 7.5 HIGH |
| Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Attackers are able to leverage this vulnerability into creating crafted LLDP packets. | |||||
| CVE-2024-9055 | 2025-03-17 | N/A | 4.2 MEDIUM | ||
| The DPA countermeasures on Silicon Labs' Series 2 devices are not reseeded periodically as they should be. This may allow an attacker to eventually extract secret keys through a DPA attack. | |||||
| CVE-2024-22473 | 1 Silabs | 1 Gecko Software Development Kit | 2025-02-12 | N/A | 6.8 MEDIUM |
| TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.This issue affects Gecko SDK through v4.4.0. | |||||
| CVE-2024-3411 | 2025-02-05 | N/A | 9.1 CRITICAL | ||
| Implementations of IPMI Authenticated sessions does not provide enough randomness to protect from session hijacking, allowing an attacker to use either predictable IPMI Session ID or weak BMC Random Number to bypass security controls using spoofed IPMI packets to manage BMC device. | |||||
| CVE-2024-53522 | 2025-01-09 | N/A | 7.5 HIGH | ||
| Bangkok Medical Software HOSxP XE v4.64.11.3 was discovered to contain a hardcoded IDEA Key-IV pair in the HOSxPXE4.exe and HOS-WIN32.INI components. This allows attackers to access sensitive information. | |||||
| CVE-2024-6508 | 2025-01-09 | N/A | 8.0 HIGH | ||
| An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions. | |||||
| CVE-2020-36732 | 1 Crypto-js Project | 1 Crypto-js | 2025-01-06 | N/A | 5.3 MEDIUM |
| The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary. | |||||
| CVE-2018-9426 | 1 Google | 1 Android | 2024-12-18 | N/A | 7.5 HIGH |
| In RsaKeyPairGenerator::getNumberOfIterations of RSAKeyPairGenerator.java, an incorrect implementation could cause weak RSA key pairs being generated. This could lead to crypto vulnerability with no additional execution privileges needed. User interaction is not needed for exploitation. Bulletin Fix: The fix is designed to correctly implement the key generation according to FIPS standard. | |||||