Description
Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by feedersec · pythonwebappsphp
https://www.exploit-db.com/exploits/40361
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/devsnd/cherrymusic/commit/62dec34a1ea0741400dd6b6c660d303dcd651e86
Third Party Advisory x_refsource_confirm
https://github.com/devsnd/cherrymusic/issues/598
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97149
Exploit, Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/40361/
Release Notes, Vendor Advisory x_refsource_confirm
http://www.fomori.org/cherrymusic/Changes.html
Scores
CVSS v3
4.3
EPSS
0.0656
EPSS Percentile
91.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (2)
fomori/cherrymusic
< 0.35.2
pypi/CherryMusic
0 - 0.36.0PyPI
Published
Mar 27, 2017
Tracked Since
Feb 18, 2026