CVE-2018-6014

Name of the Vulnerable Software and Affected Versions Subsonic version 6.1.3

Description The issue allows an attacker to retrieve sensitive user information via a read request, exploiting an insecure allow-access-from domain="*" Flash cross-domain policy. To exploit this, an attacker must convince the user to visit a web site loaded with a SWF file created to steal user data.

Recommendations For Subsonic version 6.1.3, consider restricting access to sensitive user information until a patch is available. As a temporary workaround, avoid using Flash-based features that may be exploited through the cross-domain policy issue.