CVE-2018-6547

Name of the Vulnerable Software and Affected Versions plays.tv service versions prior to 1.27.7.0

Description The issue concerns an HTTP message parsing function in the plays service.exe that writes non-user controlled data as SYSTEM to a file when the extract files parameter is used, without properly authenticating the user. This function takes a user-defined path.

Recommendations For versions prior to 1.27.7.0, update to version 1.27.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the extract files parameter until a patch is applied.