CVE-2019-8389

Name of the Vulnerable Software and Affected Versions Musicloud version 1.6

Description A file-read issue was identified in the Wi-Fi transfer feature. The application runs a transfer service on port 8080, accessible to everyone on the same Wi-Fi network. An attacker can send crafted POST parameters downfiles and cur-folder to the "download.script" endpoint, allowing access to any requested file, such as the /etc/passwd file.

Recommendations For Musicloud version 1.6, as a temporary workaround, consider restricting access to the download.script endpoint until a patch is available. Avoid using the downfiles and cur-folder parameters in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.