Skip to main content
CVE-2019-10908 CRITICAL PATCH Act Now

In Airsonic 10.2.1, RecoverController.java generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Privilege Escalation Apache Airsonic
NVD GitHub
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-10907 CRITICAL PATCH Act Now

Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Information Disclosure Airsonic
NVD GitHub
CVSS 3.0
9.8
EPSS
0.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy