Vulnerability identifier: #VU83992
Vulnerability risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-330
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
crypto-js
Web applications /
JS libraries
Vendor: brix
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the application generates random numbers by concatenating the string "0." with an
integer, which makes the output more predictable than necessary. A remote attacker can gain access to sensitive information.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
crypto-js: 3.1.2 - 3.2.0
External links
http://github.com/brix/crypto-js/issues/254
http://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-548472
http://github.com/brix/crypto-js/issues/256
http://github.com/brix/crypto-js/compare/3.2.0...3.2.1
http://github.com/brix/crypto-js/pull/257/commits/e4ac157d8b75b962d6538fc0b996e5d4d5a9466b
http://security.netapp.com/advisory/ntap-20230706-0003/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.