PRNG isn't reseeded

We are using a Python random (seeded via system random), not system random, which in a long running process means it isn't reseeded. In addition, our error pages leak random numbers, allowing the state of the PRNG used for password resets to be derived.

Information for security researchers

CVE Identifier: CVE-2012-5508
Impact Subscore: 2.9
Exploitability Subscore: 3.2
Overall CVSS Score: 1.4
Vector: (AV:A/AC:H/Au:N/C:P/I:N/A:N/E:P/RL:O/RC:C)
CWE: CWE-330
Credit: Christian Heimes