Feedersec

**Name of the Vulnerable Software and Affected Versions** Cherry Music versions prior to 0.36.0 **Description** A directory traversal issue allows remote authenticated users to read arbitrary files. This is achieved via the `value` parameter to the "download" API endpoint. **Recommendations** For versions prior to 0.36.0, update to version 0.36.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "download" endpoint until a patch is available. Avoid using the `value` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cherry Music versions prior to 0.36.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote authenticated users to inject arbitrary web script or HTML via the `playlistname` field when creating a new playlist. **Recommendations** For versions prior to 0.36.0, update to version 0.36.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the playlist creation feature to minimize the risk of exploitation. Avoid using the `playlistname` field in a way that could allow arbitrary web script or HTML injection until the issue is resolved.