[20210301] - Core - Insecure randomness within 2FA secret generation

CVE-2021-23127

9.1CRITICAL

Key Information

Vendor: Joomla
Status: Joomla! Cms
Vendor: CVE Published:; 4 March 2021

Summary

An issue was discovered in Joomla! 3.2.0 through 3.9.24. Usage of an insufficient length for the 2FA secret accoring to RFC 4226 of 10 bytes vs 20 bytes.

Affected Version(s)

Joomla! CMS = 3.2.0-3.9.24

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Mar 4, 2021
Vulnerability Reserved.
Jan 6, 2021

Collectors

NVD DatabaseMitre Database