CVE-2017-9414

Name of the Vulnerable Software and Affected Versions Subsonic version 6.1.1

Description A cross-site request forgery (CSRF) issue exists in the Subscribe to Podcast feature, allowing remote attackers to hijack the authentication of victims for requests that conduct cross-site scripting (XSS) attacks or possibly have other impact via the name parameter to playerSettings.view.

Recommendations For Subsonic version 6.1.1, as a temporary workaround, consider disabling the Subscribe to Podcast feature until a patch is available. Restrict access to the playerSettings.view endpoint to minimize the risk of exploitation. Avoid using the name parameter in the affected endpoint until the issue is resolved.