Insecure Initialization Vector Generation in Magento 2's Crypt.php

Insecure Initialization Vector Generation in Magento 2's Crypt.php

CVE-2016-6485 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

The __construct function in Framework/Encryption/Crypt.php in Magento 2 uses the PHP rand function to generate a random number for the initialization vector, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by guessing the value.

Learn more about our Web Application Penetration Testing UK.