CVE-2017-9413

Name of the Vulnerable Software and Affected Versions Subsonic version 6.1.1

Description The issue affects the Podcast feature, allowing remote attackers to hijack user authentication for specific requests. This can be achieved through exploiting cross-site request forgery (CSRF) vulnerabilities, particularly when (1) subscribing to a podcast via the add parameter to "podcastReceiverAdmin.view" or (2) updating Internet Radio Settings via the urlRedirectCustomUrl parameter to "networkSettings.view". These vulnerabilities can also be exploited to conduct server-side request forgery (SSRF) attacks.

Recommendations For Subsonic version 6.1.1, consider disabling the Podcast feature temporarily to prevent exploitation until a patch is available. Restrict access to the "podcastReceiverAdmin.view" and "networkSettings.view" endpoints to minimize the risk of CSRF and SSRF attacks. Avoid using the add parameter and the urlRedirectCustomUrl parameter in the affected API endpoints until the issue is resolved.