CVE-2018-14691

Name of the Vulnerable Software and Affected Versions Subsonic version 6.1.1

Description An issue was discovered that affects the music tags feature. It is related to stored cross-site scripting in the parameters c0-param2, c0-param3, and c0-param4 to the "/dwr/call/plaincall/tagService.setTags.dwr" endpoint. This could potentially be used to steal session information of a victim.

Recommendations For Subsonic version 6.1.1, as a temporary workaround, consider restricting access to the music tags feature and the "/dwr/call/plaincall/tagService.setTags.dwr" endpoint to minimize the risk of exploitation. Avoid using the parameters c0-param2, c0-param3, and c0-param4 in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.