CVE-2015-8309

MEDIUM

Cherry Music <0.36.0 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-8309. PoCs published by feedersec.

AI-analyzed exploit summary This exploit demonstrates a directory traversal vulnerability in Cherry Music v0.35.1, allowing authenticated users to download arbitrary files by manipulating the 'value' parameter in a POST request to the '/download' endpoint.

Description

Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."

Exploits (1)

exploitdb WORKING POC VERIFIED
by feedersec · pythonwebappsphp
https://www.exploit-db.com/exploits/40361

This exploit demonstrates a directory traversal vulnerability in Cherry Music v0.35.1, allowing authenticated users to download arbitrary files by manipulating the 'value' parameter in a POST request to the '/download' endpoint.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Cherry Music v0.35.1
Auth required
Prerequisites: Valid credentials for authentication · Access to the target application
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory x_refsource_confirm
https://github.com/devsnd/cherrymusic/issues/598
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97149
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40361/
Release Notes, Vendor Advisory x_refsource_confirm
http://www.fomori.org/cherrymusic/Changes.html

Scores

CVSS v3 4.3
EPSS 0.0667
EPSS Percentile 93.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-22
Status published
Products (2)
fomori/cherrymusic < 0.35.2
pypi/CherryMusic 0 - 0.36.0PyPI
Published Mar 27, 2017
Tracked Since Feb 18, 2026