CVE-2018-14688

Name of the Vulnerable Software and Affected Versions Subsonic version 6.1.1

Description An issue was discovered that affects the radio settings, involving three stored cross-site scripting vulnerabilities. The vulnerabilities are in the name[x], streamUrl[x], homepageUrl[x] parameters, where x is an integer, in the internetRadioSettings.view endpoint. These could be used to steal session information of a victim.

Recommendations For Subsonic version 6.1.1, as a temporary workaround, consider restricting access to the internetRadioSettings.view endpoint until a patch is available. Avoid using the parameters name[x], streamUrl[x], homepageUrl[x] in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.