ReenigneArcher

4 exploits Active since Apr 2024
CVE-2024-31221 WRITEUP MEDIUM WRITEUP
lizardbyte/sunshine 0.10.0-0.22.9 - Session Fixation via Device Unpairing Bypass
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability.
CVSS 5.9
CVE-2024-51738 WRITEUP HIGH WRITEUP
lizardbyte/sunshine < 2025.118.151840 - Unauthenticated Authentication Bypass via Pairing Protocol MITM
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.
CVSS 8.1
CVE-2025-53095 WRITEUP CRITICAL WRITEUP
lizardbyte/sunshine < 2025.628.4510 - Cross-Site Request Forgery via Command Preparations Feature
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.
CVSS 9.6
CVE-2025-54081 WRITEUP MEDIUM WRITEUP
Sunshine <2025.923.33222 - Path Traversal
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
CVSS 6.7