Apache Httpd < 2.4.25 : Padding Oracle in Apache mod_session_crypto
Prior to Apache HTTP release 2.4.25, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation AES256-CBC by default, hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks,...