5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4240

GHSA ID

GHSA-97w9-gcc7-vr8g

EPSS Score

0.48943%

CWE

CWE-330

Published

11/16/2022

Updated

7/19/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-4240

CVE-2021-4240: Insufficient Entropy in PHPServerMon PRNG

A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit has been disclosed to the public and may be used. The name of the patch is 3daa804d5f56c55b3ae13bfac368bb84ec632193. It is recommended to apply a patch to fix this issue. The identifier VDB-213717 was assigned to this vulnerability.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-4240

GHSA ID

GHSA-97w9-gcc7-vr8g

EPSS Score

0.48943%

CWE

CWE-330

Published

11/16/2022

Updated

7/19/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phpservermon/phpservermon	composer	< 3.6.0	3.6.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the pre-patch implementation of generatePasswordResetToken which used sha1(uniqid(mt_rand(), true)). mt_rand() is cryptographically insecure and produces predictable values. The commit 3daa804 explicitly replaces mt_rand with cryptographically secure random_bytes, and CWE-1241 specifically calls out 'Use of Predictable Algorithm in Random Number Generator'. The function's security-critical context (password reset tokens) combined with the documented fix confirms this as the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in p*ps*rv*rmon. T*is *****ts t** *un*tion `**n*r*t*P*sswor*R*s*tTok*n` o* t** *il* `sr*/psm/S*rvi**/Us*r.p*p`. T** m*nipul*tion l***s to us* o* pr**i*t**l* *l*orit*m in r*n*om num**r **

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** impl*m*nt*tion o* **n*r*t*P*sswor*R*s*tTok*n w*i** us** s***(uniqi*(mt_r*n*(), tru*)). mt_r*n*() is *rypto*r*p*i**lly ins**ur* *n* pro*u**s pr**i*t**l* v*lu*s. T** *ommit ******* *xpli*itly r*pl***s mt_r*n*

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-4240: Insufficient Entropy in PHPServerMon PRNG

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI