CVE-2024-47945

CRITICAL Year: 2024
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-340
View all →

Vulnerability Description

The devices are vulnerable to session hijacking due to insufficient entropy in its session ID generation algorithm. The session IDs are predictable, with only 32,768 possible values per user, which allows attackers to pre-generate valid session IDs, leading to unauthorized access to user sessions. This is not only due to the use of an (insecure) rand() function call but also because of missing initialization via srand(). As a result only the PIDs are effectively used as seed.

Related Vulnerabilities

CVE-2024-52299

HIGH
CVSS:7.5(High)

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to pre...

CWE-3402024

CVE-2024-52299

HIGH
CVSS:7.5(High)

macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. Any user with view right on XWiki.PDFViewerService can access any attachment stored in the wiki as the "key" that is passed to pre...

CWE-3402024

CVE-2025-0218

HIGH
CVSS:7.1(High)

When batch jobs are executed by pgAgent, a script is created in a temporary directory and then executed. In versions of pgAgent prior to 4.2.3, an insufficiently seeded random number generator is used...

CWE-3402025

CVE-2024-12034

MEDIUM
CVSS:5.3(Medium)

The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to IP unblocking in all versions up to, and including, 1.25. This is due to the plugin not utilizing a strong unique key when generatin...

CWE-3402024

CVE-2024-28957

MEDIUM
CVSS:5.3(Medium)

Generation of predictable identifiers issue exists in Cente middleware TCP/IP Network Series. If this vulnerability is exploited, a remote unauthenticated attacker may interfere communications by pred...

CWE-3402024

CVE-2020-1905

LOW
CVSS:3.3(Low)

Media ContentProvider URIs used for opening attachments in other apps were generated sequentially prior to WhatsApp for Android v2.20.185, which could have allowed a malicious third party app chosen t...

CWE-3402020