Airsonic ProjectCVEs & Vulnerabilities
3 CVEs affecting Airsonic Project products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.
3 CVEs→ All vendors
Most Affected Products
airsonic 3
CVE-2019-10908CRITICAL
In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has a 48-bit seed that can easily be bruteforced, leading to trivial privilege escalation attacks.
7 Apr 2019
9.8
CVSS
CVE-2019-10907CRITICAL
Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.
7 Apr 2019
9.8
CVSS
CVE-2018-20222CRITICAL
XXE issue in Airsonic before 10.1.2 during parse.
4 Apr 2019
9.8
CVSS
← PrevPage 1 / 1Next →