Description
The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://getsatisfaction.com/lastfm/topics/why-doesnt-the-macos-client-enable-ssl-by-default-c1nh5k1s054ak
Scores
CVSS v3
5.3
EPSS
0.0075
EPSS Percentile
49.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-319
CWE-1188
Status
published
Products (1)
last.fm/last.fm_desktop
< 2.1.39
Published
Dec 10, 2019
Tracked Since
Feb 18, 2026