CVE-2018-13859

Name of the Vulnerable Software and Affected Versions MusicCenter / Trivum Multiroom Setup Tool versions prior to V9.34 build 13381

Description The issue allows unauthorized remote attackers to reset authentication via the "/xml/system/setAttribute.xml" API endpoint, using a GET request with parameters id=0, attr=protectAccess, and newValue=0. A successful attack enables attackers to login without authorization.

Recommendations For versions prior to V9.34 build 13381, update to version V9.34 build 13381 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/xml/system/setAttribute.xml" API endpoint to minimize the risk of exploitation. Avoid using the id, attr, and newValue parameters in the affected API endpoint until the issue is resolved.