CVE-2015-8309

Advisory

Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."

Affected package

Affected versions

Fixed versions

Vulnerability changelog

- FIXED: *Security* CVE-2015-8309 Download of arbitrary files by logged in users (thanks
feedersec)
- FIXED: *Security* CVE-2015-8310 XSS attack by logged-in users (thanks feedersec)
- FIXED: OGA files are now correctly recognized as ogg-audio files
- FIXED: Sorting tracks by track number correctly
- FIXED: Cannot load playlists containing single quotes
- FEATURE: allow reverse-sorting of playlists (thanks pando85)
- FEATURE: Enabled support of ffmpeg to decode ALAC files
- FEATURE: Added optional support for Pillow as Image Library
- IMPROVEMENT: disabled confirm-to-quit message for playlist downloads
- IMPROVEMENT: Updated TinyTag to version 0.10.1 (much faster ID3 parsing)
- IMPROVEMENT: Predictable selection of album-art images (thanks lzh9102)
- FIXED: Removed restrictions for passwords created in CLI

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8309
• https://www.exploit-db.com/exploits/40361/
• https://github.com/devsnd/cherrymusic/issues/598
• https://github.com/devsnd/cherrymusic/commit/62dec34a1ea0741400dd6b6c660d303dcd651e86
• http://www.fomori.org/cherrymusic/Changes.html
• http://www.securityfocus.com/bid/97149