CVE-2018-6014

Published: Jan 23, 2018Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data.

Affected (1)

Products: Subsonic: Subsonic

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Subsonic Subsonic	Version 6.1.3

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://www.vulnerability-lab.com/get_content.php?id=2115

Source: cve@mitre.org

Third Party Advisory

https://www.youtube.com/watch?v=t3nYuhAHOMg

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.vulnerability-lab.com/get_content.php?id=2115

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.youtube.com/watch?v=t3nYuhAHOMg

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.