13 matches found
EUVD-2026-38067
Subsonic API: any authenticated user can delete or read any other user's playlist IDOR...
CVE-2026-49338
The CVE covers gonic, a Subsonic-compatible music server. Before 0.21.0, Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view allowed any authenticated user to delete or read any other user’s private playlist due to missing per-resource authorization. The playlist ID is bas...
CVE-2026-49338 Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)
gonic is a music streaming server / free-software subsonic server API implementation. Prior to version 0.21.0, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can delete...
CVE-2026-49339 Path traversal in getPlaylist/deletePlaylist bypasses ownership check: any authenticated user can read or delete any other user's playlist
gonic is a music streaming server / free-software subsonic server API implementation. The maintainer's fix in commit 6dd71e6a3c966867ef8c900d359a7df75789f410 added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controll...
CVE-2024-42792
A Cross-Site Request Forgery CSRF vulnerability was found in Kashipara Music Management System v1.0 via /music/ajax.php?action=deleteplaylist page...
Kashipara Music Management System 安全漏洞
Kashipara Music Management System is a music management system from Kashipara Inc. A security vulnerability exists in Kashipara Music Management System version v1.0, which stems from an Access Control Error vulnerability that allows an unauthenticated attacker to delete valid music playlist entri...
CVE-2024-42797
An Incorrect Access Control vulnerability was found in /music/ajax.php?action=deleteplaylist in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music playlist entries...
PT-2024-30170 · Unknown · Kashipara Music Management System
Name of the Vulnerable Software and Affected Versions: Kashipara Music Management System version 1.0 Description: An Incorrect Access Control issue was found in the "/music/ajax.php?action=delete playlist" endpoint. This issue allows an unauthenticated attacker to delete valid music playlist...
CVE-2024-42792
A Cross-Site Request Forgery CSRF vulnerability was found in Kashipara Music Management System v1.0 via /music/ajax.php?action=deleteplaylist page...
CVE-2024-42792
A Cross-Site Request Forgery CSRF vulnerability was found in Kashipara Music Management System v1.0 via /music/ajax.php?action=deleteplaylist page...
CVE-2024-42792
A Cross-Site Request Forgery CSRF vulnerability was found in Kashipara Music Management System v1.0 via /music/ajax.php?action=deleteplaylist page...
CVE-2024-42792
A Cross-Site Request Forgery CSRF vulnerability was found in Kashipara Music Management System v1.0 via /music/ajax.php?action=deleteplaylist page...
PT-2024-30165 · Unknown · Kashipara Music Management System
Name of the Vulnerable Software and Affected Versions: Kashipara Music Management System version 1.0 Description: A Cross-Site Request Forgery CSRF issue was found in the system via the "/music/ajax.php?action=delete playlist" page. This allows for unauthorized actions to be performed...