CVE-2021-27913

LOW

Mautic <3.3.4, <4.0.0 - Info Disclosure

Title source: llm

Description

The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control This issue affects: Mautic Mautic versions prior to 3.3.4; versions prior to 4.0.0.

References (1)

[Exploit, Patch, Third Party Advisory] https://github.com/mautic/mautic/security/advisories/GHSA-x7g2-wrrp-r6h3

Scores

CVSS v3 3.5

EPSS 0.0009

EPSS Percentile 25.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Details

CWE

CWE-327 CWE-338

Status published

Products (3)

acquia/mautic 4.0.0 alpha1 (3 CPE variants)

acquia/mautic < 3.3.4

mautic/core 0 - 3.3.4Packagist

Published Aug 30, 2021

Tracked Since Feb 18, 2026