Subsonic
CVE-2018-6014
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data.
AnalysisAI
Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data. Affected products include: Subsonic.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attacke
XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF. Rated high severity (CVSS 8.0), t
Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target u
An XSS issue was discovered in Subsonic Media Server 6.1.1. Rated medium severity (CVSS 6.1), this vulnerability is remo
An issue was discovered in Subsonic 6.1.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,
An issue was discovered in Subsonic 6.1.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,
An issue was discovered in Subsonic 6.1.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,
An issue was discovered in Subsonic 6.1.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable,
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today