CVE-2024-28195

Published: Mar 13, 2024

Modified: Apr 15, 2025

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
Yooooomi	your_spotify	affected `< 1.9.0`

Weaknesses (CWE)

CWE-352

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj

x_refsource_CONFIRM

https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-28195

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References