Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An attacker able to capture cookies might be able to trivially bruteforce offline the passwords of associated users.
Add your gear to cvedb and we'll alert you only when airsonic_project ships something exploited.
Check my exposure →This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.