CVE-2019-19251

MEDIUM

Last.fm Scrobbler <2.1.39 - Info Disclosure

Title source: llm

Description

The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.

References (1)

[Third Party Advisory] https://getsatisfaction.com/lastfm/topics/why-doesnt-the-macos-client-enable-ssl-by-default-c1nh5k1s054ak

Scores

CVSS v3 5.3

EPSS 0.0015

EPSS Percentile 35.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-319 CWE-1188

Status published

Products (1)

last.fm/last.fm_desktop < 2.1.39

Published Dec 10, 2019

Tracked Since Feb 18, 2026