Описание
model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).
Ссылки
- PatchThird Party Advisory
- Release NotesThird Party Advisory
- PatchThird Party Advisory
- Release NotesThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.47.5 (исключая)
cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*
EPSS
Процентиль: 52%
0.00294
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-89
Связанные уязвимости
EPSS
Процентиль: 52%
0.00294
Низкий
6.5 Medium
CVSS3
4 Medium
CVSS2
Дефекты
CWE-89