Home > Vulnerability Database > CVE-2021-27913

Mend.io Vulnerability Database

CVE-2021-27913

Good to know:

Date: August 30, 2021

The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control This issue affects: Mautic Mautic versions prior to 3.3.4; versions prior to 4.0.0.

Language: PHP

Severity Score

3.5

Related Resources (6)

Url: https://github.com/mautic/mautic/security/advisories/GHSA-x7g2-wrrp-r6h3

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-27913

Url: https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27913.yaml

Url: https://github.com/mautic/mautic

Url: https://github.com/mautic/mautic/commit/d1cad766a2de74e6c6b89d6d78c2a5f2e36ba91c

Url: https://www.mend.io/vulnerability-database/CVE-2021-27913

Severity Score

3.5

Weakness Type (CWE)

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-338

Top Fix

Upgrade Version

Upgrade to version 3.3.4, 4.0.0

Learn More

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

CVSS v2

Base Score:	3.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-27913

Good to know:

Date: August 30, 2021

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?