Security vulnerabilities discovered

[feedersec]

Hi, Could you please get in touch with me to discuss 2 vulnerabilities I've discovered in cherrymusic. feedersec [at] gmail [dot] com. Thanks.

[devsnd]

Thank you very much for checking CM for security vulnerabilities! I have fixed them in the devel branch and will now release a new version.

To all the CM users listening in: The two vulnerabilities found by feedersec could only be exploited by logged-in users. However, especially in the case that you are running CM as root (which you should not!) one of the vulnerabilities could lead to the compromise of your server. I'll release a new version now, please make sure to update as soon as possible.

Many thanks again @feedersec, please contact me again if you find anything in the future!

[feedersec]

Thanks for fixing @devsnd! For the CM community's information, the following CVE references can be used to track the vulnerabilities:

1. Directory traversal vulnerability allows authenticated users to download arbitrary files. ref: CVE-2015-8309
2. Persistent XSS vulnerability in the 'playlistname' field allows the insertion of javascript into this field when creating a new playlist. ref: CVE-2015-8310