268 matches found
Malicious code in spotify-talos (npm)
The package spotify-talos was found to contain malicious code...
MAL-2025-33799 Malicious code in spotify-talos (npm)
The package spotify-talos was found to contain malicious code...
MAL-2025-6857 Malicious code in spotify-test (npm)
The package communicates with a domain associated with malicious activity...
Malicious code in spotify-test (npm)
The package communicates with a domain associated with malicious activity...
CVE-2024-5199
The Spotify Play Button WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...
CVE-2024-42011
The Spotify app 8.9.58 for iOS has a buffer overflow in its use of strcat...
CVE-2024-11192
The Spotify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's spotifyplaybutton shortcode in all versions up to, and including, 2.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2024-28193
yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version 1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify A...
CVE-2023-41131
Cross-Site Request Forgery CSRF vulnerability in Jonk @ Follow me Darling Sptify Play Button for WordPress plugin = 2.10 versions...
CVE-2023-44145
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in jesweb.Dev Anchor Episodes Index Spotify for Podcasters plugin = 2.1.7 versions...
CVE-2023-1840
The Sptify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.07 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...
CVE-2023-23608
Spotipy is a light weight Python library for the Spotify Web API. In versions prior to 2.22.1, if a malicious URI is passed to the library, the library can be tricked into performing an operation on a different API endpoint than intended. The code Spotipy uses to parse URIs and URLs allows an...
CVE-2022-39231
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...
CVE-2021-40927
Cross-site scripting XSS vulnerability in callback.php in Spotify-for-Alfred 0.13.9 and below allows remote attackers to inject arbitrary web script or HTML via the error parameter...
CVE-2025-47928
CVE-2025-47928 affects the Spotipy Python library for the Spotify Web API. The issue arises from using GitHub Actions pull_request_target, which can execute untrusted code from a fork with base-repo secrets in the context of the base repository. This can lead to exfiltration of secrets such as GI...
[SECURITY] Fedora 42 Update: python-spotipy-2.25.1-1.fc42
A light weight Python library for the Spotify Web API...
[SECURITY] Fedora 40 Update: python-spotipy-2.25.1-1.fc40
A light weight Python library for the Spotify Web API...
[SECURITY] Fedora 41 Update: python-spotipy-2.25.1-1.fc41
A light weight Python library for the Spotify Web API...
Improper File Permissions
spotipy is vulnerable to Improper File Permissions. The vulnerability is due to insecure default file permissions that allow unauthorized users to read the Spotify auth token...
Spotipy's cache file, containing spotify auth token, is created with overly broad permissions
Summary The CacheHandler class creates a cache file to store the auth token here: https://github.com/spotipy-dev/spotipy/blob/master/spotipy/cachehandler.pyL93-L98 The file created has rw-r--r-- 644 permissions by default, when it could be locked down to rw------- 600 permissions. I think 600 is ...