Vulnerability Details : CVE-2018-15552
Potential exploit
The "PayWinner" function of a simplelottery smart contract implementation for The Ethereum Lottery, an Ethereum gambling game, generates a random value with publicly readable variable "maxTickets" (which is private, yet predictable and readable by the eth.getStorageAt function). Therefore, it allows attackers to always win and get rewards.
Products affected by CVE-2018-15552
- cpe:2.3:a:theethereumlottery:the_ethereum_lottery:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-15552
0.79%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-15552
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-15552
-
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-15552
-
https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-15552
CVE-LIST/CVE-2018-15552 at master · TEAM-C4B/CVE-LIST · GitHubExploit;Third Party Advisory
Jump to