For each session, CiviCRM stores a private session key. This patch addresses multiple issues which could compromise the strength or security of the key.
CiviCRM version 5.28.0 and earlier
CiviCRM version 5.28.1 and 5.27.5 ESR
Upgrade to the latest version of CiviCRM
Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Tim Otten of CiviCRM Core for further analysis and fixing the issue