CVE-2019-10886
MEDIUMSony Photo Sharing Plus < pkg6.5629 - Unauthenticated Arbitrary File Read
Title source: llmDescription
An incorrect access control exists in the Sony Photo Sharing Plus application in the firmware before PKG6.5629 version (for the X7500D TV and other applicable TVs). This vulnerability allows an attacker to read arbitrary files without authentication over HTTP when Photo Sharing Plus application is running. This may allow an attacker to browse a particular directory (e.g. images) inside the private network.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Apr/32
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/152612/Sony-Smart-TV-Information-Disclosure-File-Read.html
Exploit, Vendor Advisory x_refsource_confirm
https://www.sony.com/electronics/support/downloads/00016043
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Apr/34
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/108072
Scores
CVSS v3
5.9
EPSS
0.0297
EPSS Percentile
85.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (1)
sony/photo_sharing_plus
< pkg6.5629
Published
Apr 19, 2019
Tracked Since
Feb 18, 2026