vendor:
subsonic
by:
John Page a.k.a hyp3rlinx
8,8
CVSS
HIGH
CSRF - Persistent XSS
352
CWE
Product Name: subsonic
Affected Version From: subsonic v6.1.1
Affected Version To: subsonic v6.1.1
Patch Exists: YES
Related CWE: CVE-2017-9414
CPE: a:subsonic:subsonic
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017
Subsonic CSRF Persistent XSS
Remote attackers can abuse the Subscribe to Podcast feature of subsonic to store persistent XSS payloads if an authenticated user clicks a malicious link or visits an attacker controlled webpage.
Mitigation:
The vendor has released a patch to address this vulnerability.
