Stored Cookie Vulnerability in Airsonic Media Server by Airsonic
CVE-2019-10907

9.8CRITICAL

Key Information:

Vendor: Airsonic Project
Status: Airsonic
Vendor: CVE Published:; 7 April 2019

🔔 Create Airsonic Project Vulnerability Alert

What is CVE-2019-10907?

Airsonic Media Server version 10.2.1 employs an insecure default mechanism for storing remember-me cookies, utilizing MD5 hashing with a static key. This configuration allows attackers to potentially capture and brute-force user passwords through offline methods, leading to unauthorized access. Proper measures should be taken to address this vulnerability and enhance the security of user credentials.

References

https://github.com/airsonic/airsonic/commit/3e07ea52885f8...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2019
Vulnerability Reserved
Apr 7, 2019