PT-2019-15795 · Last.Fm · Last.Fm Desktop App

Published

2019-12-10

Updated

2020-08-24

CVE-2019-19251

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Last.fm desktop app (Last.fm Scrobbler) versions through 2.1.39

Description The issue concerns the Last.fm desktop app making HTTP requests that include an API key without using SSL/TLS. Although there is an option to enable SSL, it is disabled by default, resulting in cleartext requests as soon as the app starts.

Recommendations For versions through 2.1.39, enable the SSL option to secure requests and protect the API key.

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319CWE-1188

Related Identifiers

CVE-2019-19251

Affected Products

Last.Fm Desktop App

PT-2019-15795 · Last.Fm · Last.Fm Desktop App

CVE-2019-19251

Weakness Enumeration

Related Identifiers

Affected Products

References · 3