CVE-2015-8309 — Cherry Music directory traversal vulnerability

Description

Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."

How to fix CVE-2015-8309

To remediate CVE-2015-8309, upgrade the affected package to a fixed version below.

PyPI/cherrymusic—upgrade to 0.36.0 or later
PyPI/cherrymusic—upgrade to 62dec34a1ea0741400dd6b6c660d303dcd651e86 or later

Is CVE-2015-8309 being exploited?

Moderate — EPSS is 6.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 0.36.0
from 0, < 62dec34a1ea0741400dd6b6c660d303dcd651e86 | from 0, < 0.36.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (11)

ADVISORYgithub.com/advisories/GHSA-q624-9634-77gh
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-8309
PATCHgithub.com/devsnd/cherrymusic
WEBgithub.com/devsnd/cherrymusic/commit/62dec34a1ea0741400dd6b6c660d303dcd651e86
WEB