CVE-2018-9282 (https://www.bishopfox.com/news/2018/09/subsonic-6-1-1-multiple-vulnerabilities/): An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript payload, this flaw could be used to manipulate a user's session, or elevate privileges by targeting an administrative user. CVE-2018-6014 (https://www.vulnerability-lab.com/get_content.php?id=2115): https://www.youtube.com/watch?v=t3nYuhAHOMg Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data. CVE-2018-20228 (https://www.vulnerability-lab.com/get_content.php?id=2175): Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF. CVE-2018-14691 (https://www.bishopfox.com/news/2018/09/subsonic-6-1-1-multiple-vulnerabilities/): An issue was discovered in Subsonic 6.1.1. The music tags feature is affected by three stored cross-site scripting vulnerabilities in the c0-param2, c0-param3, and c0-param4 parameters to dwr/call/plaincall/tagService.setTags.dwr that could be used to steal session information of a victim. CVE-2018-14690 (https://www.bishopfox.com/news/2018/09/subsonic-6-1-1-multiple-vulnerabilities/): An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim. CVE-2018-14689 (https://www.bishopfox.com/news/2018/09/subsonic-6-1-1-multiple-vulnerabilities/): An issue was discovered in Subsonic 6.1.1. The transcoding settings are affected by five stored cross-site scripting vulnerabilities in the name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] parameters (where x is an integer) to transcodingSettings.view that could be used to steal session information of a victim. CVE-2018-14688 (https://www.bishopfox.com/news/2018/09/subsonic-6-1-1-multiple-vulnerabilities/): An issue was discovered in Subsonic 6.1.1. The radio settings are affected by three stored cross-site scripting vulnerabilities in the name[x], streamUrl[x], homepageUrl[x] parameters (where x is an integer) to internetRadioSettings.view that could be used to steal session information of a victim. CVE-2017-9415 (https://www.exploit-db.com/exploits/42117/): Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view. CVE-2017-9414 (https://www.exploit-db.com/exploits/42120/): http://packetstormsecurity.com/files/142796/Subsonic-6.1.1-Persistent-XSS.html http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view. CVE-2017-9413 (http://packetstormsecurity.com/files/142794/Subsonic-6.1.1-Server-Side-Request-Forgery.html): https://www.exploit-db.com/exploits/42118/ Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks. CVE-2017-9355 (http://packetstormsecurity.com/files/142795/Subsonic-6.1.1-XML-External-Entity-Attack.html): http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txt https://www.exploit-db.com/exploits/42119/ XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted XSPF playlist file. I'm not sure if these are actually fixed, since the "BishopFox" advisory 404s, and nobody ever saved it to the Internet archive, and it seems like the other references are mostly duplicates of the same exploit information without references to upstream.
I *suppose* this is what's fixed in the PR, but very hard to verify.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3323ba94da9af1cf07d7a9d24f7ab11091aaebb commit e3323ba94da9af1cf07d7a9d24f7ab11091aaebb Author: Marco Scardovi <mscardovi@icloud.com> AuthorDate: 2022-12-30 23:00:43 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-01-30 06:45:39 +0000 media-sound/subsonic-bin: add 6.1.6 Closes: https://github.com/gentoo/gentoo/pull/15641 Bug: https://bugs.gentoo.org/867736 Closes: https://bugs.gentoo.org/604872 Signed-off-by: Marco Scardovi <scardracs-gentoo@proton.me> Signed-off-by: Joonas Niilola <juippis@gentoo.org> media-sound/subsonic-bin/Manifest | 1 + media-sound/subsonic-bin/subsonic-bin-6.1.6.ebuild | 56 ++++++++++++++++++++++ 2 files changed, 57 insertions(+)
Well, no mention of any of this at: http://www.subsonic.org/pages/changelog.jsp
