Note:
This project will be discontinued after December 13, 2021. [more]
2018-01-22
Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data.
Products | Subsonic |
Type | Information Exposure (CWE-200) |
First patch | - None (likely due to unavailable code) |
Links |
• https://www.youtube.com/watch?v=t3nYuhAHOMg
• https://www.vulnerability-lab.com/get_content.php?id=2115 |