The essential news about content management systems and mobile technology. Powered by Perfect Publisher and XT Search for Algolia.

The News Site publishes posts to the following channels: Facebook, Instagram, Twitter, Telegram, Web Push, Tumblr, and Blogger.

[20210301] - Core - Insecure randomness within 2FA secret generation

Details
Category: Security Announcements
  • Project: Joomla!
  • SubProject: CMS
  • Impact: Low
  • Severity: Low
  • Versions: 3.2.0 - 3.9.24
  • Exploit type: Insecure Randomness
  • Reported Date: 2021-01-12
  • Fixed Date: 2021-03-02
  • CVE Number: CVE-2021-23126CVE-2021-23127

Description

Usage of the insecure rand() function within the process of generating the 2FA secret.
Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.

This issue has been coordinated with Akeeba Ltd as contributor of the original FOF codebase to the core.

Affected Installs

Joomla! CMS versions 3.2.0 - 3.9.24

Solution

Upgrade to version 3.9.25

Contact

The JSST at the Joomla! Security Centre....

Reported By: Hanno Böck

Read more

© 2024 Extly, CB - All rights reserved.