Use of a Broken or Risky Cryptographic Algorithm
Revive-ad server utilizes a PRNG for session-token generation, this means that an attacker could theoretically be able to generate session tokens at random and take over accounts at random.
This function does not generate crypto-graphically secure values, and should not be used for cryptographic purposes.
CVE-2021-22948
Refer report: https://hackerone.com/reports/1306942
Impact
This vulnerability is capable of allowing mass account takeover by having attackers generate other users' session tokens.
0 comments:
Post a Comment