CVE-2019-8389

HIGH

Musicloud 1.6 - Unauthenticated Path Traversal and Arbitrary File Read via Wi-Fi Transfer Feature

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-8389. PoCs published by shawarkhanethicalhacker.

AI-analyzed exploit summary This PoC exploits a local file read vulnerability in Musicloud v1.6 iOS via crafted POST parameters to the download.script endpoint, allowing arbitrary file retrieval. The exploit constructs a path traversal payload to read files like /etc/passwd and retrieves them via a publicly accessible ZIP archive.

Description

A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file).

Exploits (1)

nomisec WORKING POC 10 stars

by shawarkhanethicalhacker · poc

https://github.com/shawarkhanethicalhacker/CVE-2019-8389

View Code ZIP pw:eip

This PoC exploits a local file read vulnerability in Musicloud v1.6 iOS via crafted POST parameters to the download.script endpoint, allowing arbitrary file retrieval. The exploit constructs a path traversal payload to read files like /etc/passwd and retrieves them via a publicly accessible ZIP archive.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Musicloud for iOS v1.6

No auth needed

Prerequisites: Target running Musicloud v1.6 iOS · Network access to the target's Wi-Fi transfer service on port 8080

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://gist.github.com/shawarkhanethicalhacker/b98c5ac7491cf77732c793ecc468f465

Scores

CVSS v3 8.1

EPSS 0.0538

EPSS Percentile 90.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-22

Status published

Products (1)

musicloud_project/musicloud 1.6

Published Feb 17, 2019

Tracked Since Feb 18, 2026