CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-20110
https://notcve.org/view.php?id=CVE-2015-20110
31 Oct 2023 — JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters. JHipster generador-jhipster anterior a 2.23.0 permite un ataque de tiempo contra validarToken debido a una compa... • https://github.com/jhipster/generator-jhipster/commit/79fe5626cb1bb80f9ac86cf46980748e65d2bdbc • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 2CVE-2019-16303
https://notcve.org/view.php?id=CVE-2019-16303
13 Sep 2019 — A class generated by the Generator in JHipster before 6.3.0 and JHipster Kotlin through 1.1.0 produces code that uses an insecure source of randomness (apache.commons.lang3 RandomStringUtils). This allows an attacker (if able to obtain their own password reset URL) to compute the value for all other password resets for other accounts, thus allowing privilege escalation or account takeover. Una clase generada mediante el Generator en JHipster versiones anteriores a 6.3.0 y JHipster Kotlin versiones hasta 1.1... • https://github.com/jhipster/generator-jhipster/commit/88448b85fd3e8e49df103f0061359037c2c68ea7 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •