PT-2018-8507 · Subsonic · Subsonic
Hyp3Rlinx
+1
·
Published
2018-02-05
·
Updated
2018-02-23
·
CVE-2017-9414
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Subsonic version 6.1.1
Description
A cross-site request forgery (CSRF) issue exists in the Subscribe to Podcast feature, allowing remote attackers to hijack the authentication of victims for requests that conduct cross-site scripting (XSS) attacks or possibly have other impact via the
name parameter to playerSettings.view.Recommendations
For Subsonic version 6.1.1, as a temporary workaround, consider disabling the Subscribe to Podcast feature until a patch is available. Restrict access to the
playerSettings.view endpoint to minimize the risk of exploitation. Avoid using the name parameter in the affected endpoint until the issue is resolved.Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Subsonic