CVE-2018-13860

Name of the Vulnerable Software and Affected Versions MusicCenter / Trivum Multiroom Setup Tool versions prior to V9.34 build 13381

Description The issue allows unauthorized remote attackers to obtain sensitive information. This can be achieved via the "/xml/menu/getObjectEditor.xml" URL, using a "?oid=systemSetup&id= 0" or "?oid=systemUsers&id= 0" GET request.

Recommendations For versions prior to V9.34 build 13381, update to version V9.34 build 13381 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/xml/menu/getObjectEditor.xml" URL to minimize the risk of exploitation. Avoid using the oid and id parameters in the affected API endpoint until the issue is resolved.