CVE-2018-12520

HIGH Year: 2018
CVSS v3 Score
8.1
High
CVSS v2 Score
6.8
Medium
Weakness Type
CWE-335
View all →

Vulnerability Description

An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating system and standard library in use by the host running the service and the username of the user whose session they're targeting can abuse the deterministic random number generation in order to hijack the user's session, thus escalating their access.

Related Vulnerabilities

CVE-2016-3735

HIGH
CVSS:8.1(High)

Piwigo is image gallery software written in PHP. When a criteria is not met on a host, piwigo defaults to usingmt_rand in order to generate password reset tokens. mt_rand output can be predicted after...

CWE-3352016

CVE-2024-1579

HIGH
CVSS:8.1(High)

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Secomea GateManager (Webserver modules) allows Session Hijacking.This issue affects GateManager: before 11.2.62407102...

CWE-3352024

CVE-2016-10180

HIGH
CVSS:7.5(High)

An issue was discovered on the D-Link DWR-932B router. WPS PIN generation is based on srand(time(0)) seeding.

CWE-3352016

CVE-2017-5214

HIGH
CVSS:7.5(High)

The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows prediction of a uniqid value based on knowledge of a time value. This makes it easier to read arbitrary uploaded...

CWE-3352017

CVE-2019-25061

HIGH
CVSS:7.5(High)

The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.

CWE-3352019

CVE-2020-13784

HIGH
CVSS:7.5(High)

D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.

CWE-3352020