Navidrome is a web-based open source music collection server and streamer. Used to freely listen to music collections from any browser or mobile device, a SQL injection vulnerability exists in versions of Navidrome prior to 0.47.5, which stems from a lack of validation of externally entered SQL statements in Navidrome’s model/criteria/criteria.go when processing carefully crafted smart playlists. An attacker could exploit the vulnerability to extract arbitrary data from the database, including the user table (which contains sensitive information such as the user’s encrypted password).
CPE | Name | Operator | Version |
---|---|---|---|
navidrome navidrome | lt | 0.47.5 |