Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
ReviveAdserver Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Vulnerability - CVE-2019-5440 - Vulnerability Database
ReviveAdserver

ReviveAdserver Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Vulnerability - CVE-2019-5440

High
Reference: CVE-2019-5440
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2019-5440
Title: ReviveAdserver Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Vulnerability
Overview:

Use of cryptographically weak PRNG in the password recovery token generation of Revive Adserver lt v4.2.1 causes a potential authentication bypass attack if an attacker exploits the password recovery functionality. In lib/OA/Dal/PasswordRecovery.php the function generateRecoveryId() generates a password reset token that relies on the PHP uniqid function and consequently depends only on the current server time which is often visible in an HTTP Date header.