CVE-2019-10907

Name of the Vulnerable Software and Affected Versions Airsonic version 10.2.1

Description The issue concerns the use of Spring's default remember-me mechanism based on MD5, with a fixed key, in Airsonic. This could allow an attacker who captures cookies to potentially bruteforce the passwords of associated users offline.

Recommendations For Airsonic version 10.2.1, consider updating the GlobalSecurityConfig.java to use a more secure remember-me mechanism, such as one based on a secure hash function and a random key. As a temporary workaround, restrict access to sensitive areas of the application to minimize the risk of exploitation.