An issue exists in heinekingmedia StashCat up to and including 1.7.5 for Android, up to and including 0.0.80w for Web, and up to and including 0.0.86 for Desktop. To encrypt messages, AES in CBC mode is used with a pseudo-random secret. This secret and the IV are generated with math.random() in previous versions and with CryptoJS.lib.WordArray.random() in newer versions, which uses math.random() internally. This is not cryptographically strong.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
stashcat heinekingmedia |