diff --git a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp index 8aa9f27c028..b6bbf62622e 100644 --- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp +++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.qhelp @@ -3,7 +3,7 @@ "qhelp.dtd"> -

This query detects instances of RandomUtil.java generated by a JHipster version vulnerable to CVE-2019-16303. +

This query detects instances of RandomUtil.java generated by a JHipster version vulnerable to CVE-2019-16303.

Using one password reset token from your app combined with the proof of concept (POC) linked below, an attacker can determine all future password reset tokens to be generated by this server. This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.

@@ -16,7 +16,7 @@ This allows an attacker to pick and choose what account they would like to takeo -

The example below shows the vulnerable RandomUtil class generated by JHipster. +

The example below shows the vulnerable RandomUtil class generated by JHipster.

Below is a fixed version of the RandomUtil class.

@@ -26,7 +26,7 @@ This allows an attacker to pick and choose what account they would like to takeo -An automated refactoring rewrite module can be found here. +

An automated refactoring rewrite module can be found here.