Thank you very much for checking CM for security vulnerabilities! I have fixed them in the devel branch and will now release a new version.
To all the CM users listening in: The two vulnerabilities found by feedersec could only be exploited by logged-in users. However, especially in the case that you are running CM as root (which you should not!) one of the vulnerabilities could lead to the compromise of your server. I'll release a new version now, please make sure to update as soon as possible.
Many thanks again @feedersec, please contact me again if you find anything in the future!
Persistent XSS vulnerability in the 'playlistname' field allows the insertion of javascript into this field when creating a new playlist. ref: CVE-2015-8310
Hi, Could you please get in touch with me to discuss 2 vulnerabilities I've discovered in cherrymusic. feedersec [at] gmail [dot] com. Thanks.
The text was updated successfully, but these errors were encountered: