Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in ampache/ampacheValid
Jul 16th 2021
According to PHP official documents  we have for mt_rand() function an security issue that says "This function does not generate cryptographically secure values, and should not be used for cryptographic purposes" and as we see in permalinks you use the mt_rand() function for generate session and API keys, the attacker can take over your user accounts
Also for more information about use secure random functions you can read following document: https://phpsecurity.readthedocs.io/en/latest/Insufficient-Entropy-For-Random-Values.html and also there is no matter that you use md5 and uniqid functions, because the source of this functions can be same and the atrophy of session and API keys will be weak and unsecure.
This vulnerability is capable of take control of user's accounts.
use random_bytes  instead of mt_rand