Musicloud 1.6 Wi-Fi Transfer downfiles/cur-folder information disclosure

entryeditHistoryDiffjsonxmlCTI

A vulnerability has been found in Musicloud 1.6 (Cloud Software) and classified as critical. This vulnerability affects an unknown functionality of the component Wi-Fi Transfer. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
874480605/10/2020VulD...discoverydate155036160005/10/2020accepted100
874485502/17/2019VulD...cvss3_nvd_basescore8.1nist.gov02/17/2019accepted90
874485402/17/2019VulD...cvss3_vuldb_rcX02/17/2019accepted90
874485302/17/2019VulD...cvss3_vuldb_rlX02/17/2019accepted90
874485202/17/2019VulD...cvss3_vuldb_eX02/17/2019accepted90
874485102/17/2019VulD...cvss2_vuldb_rcND02/17/2019accepted90
874485002/17/2019VulD...cvss2_vuldb_rlND02/17/2019accepted90
874484902/17/2019VulD...cvss2_vuldb_eND02/17/2019accepted90
874484802/17/2019VulD...cve_nvd_summaryA file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) to the download.script endpoint. This will create a MusicPlayerArchive.zip archive that is publicly accessible and includes the content of any requested file (such as the /etc/passwd file).mitre.org02/17/2019accepted100
874484702/17/2019VulD...cve_assigned1550275200mitre.org02/17/2019accepted100
874484602/17/2019VulD...cveCVE-2019-8389mitre.org02/17/2019accepted100
874484502/17/2019VulD...price_0day$0-$5ksee documentation02/17/2019accepted100
874484402/17/2019VulD...date1550361600 (02/17/2019)02/17/2019accepted100
874484302/17/2019VulD...cvss3_nvd_aNnist.gov02/17/2019accepted100
874484202/17/2019VulD...cvss3_nvd_iHnist.gov02/17/2019accepted100
874484102/17/2019VulD...cvss3_nvd_cHnist.gov02/17/2019accepted100
874484002/17/2019VulD...cvss3_nvd_sUnist.gov02/17/2019accepted100
874483902/17/2019VulD...cvss3_nvd_uiNnist.gov02/17/2019accepted100
874483802/17/2019VulD...cvss3_nvd_prNnist.gov02/17/2019accepted100
874483702/17/2019VulD...cvss3_nvd_acLnist.gov02/17/2019accepted100

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!