CVE-2024-28195 (GCVE-0-2024-28195)
Vulnerability from cvelistv5 – Published: 2024-03-13 17:16 – Updated: 2025-04-15 15:18
VLAI?
Summary
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
8.1 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Yooooomi | your_spotify |
Affected:
< 1.9.0
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "your_spotify",
"vendor": "yooooomi",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28195",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T18:50:11.982715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T15:18:39.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"
},
{
"name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "your_spotify",
"vendor": "Yooooomi",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions \u003c 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T17:16:27.116Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"
},
{
"name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"
}
],
"source": {
"advisory": "GHSA-hfgf-99p3-6fjj",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) vulnerability in API and login in your_spotify"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28195",
"datePublished": "2024-03-13T17:16:27.116Z",
"dateReserved": "2024-03-06T17:35:00.860Z",
"dateUpdated": "2025-04-15T15:18:39.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions \u003c 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"your_spotify es un panel de seguimiento de Spotify autohospedado y de c\\u00f3digo abierto. Las versiones de YourSpotify \u0026lt; 1.9.0 no protegen la API ni el flujo de inicio de sesi\\u00f3n contra la Cross-Site Request Forgery (CSRF). Los atacantes pueden usar esto para ejecutar ataques CSRF a las v\\u00edctimas, permiti\\u00e9ndoles recuperar, modificar o eliminar datos en la instancia de YourSpotify afectada. Al utilizar ataques CSRF repetidos, tambi\\u00e9n es posible crear un nuevo usuario en la instancia de la v\\u00edctima y promoverlo a administrador de la instancia si un administrador leg\\u00edtimo visita un sitio web preparado por un atacante. Nota: La explotabilidad de esta vulnerabilidad en el mundo real depende de la versi\\u00f3n y la configuraci\\u00f3n del navegador que utiliza la v\\u00edctima. Este problema se solucion\\u00f3 en la versi\\u00f3n 1.9.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}]",
"id": "CVE-2024-28195",
"lastModified": "2024-11-21T09:06:00.303",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
"published": "2024-03-13T18:15:07.360",
"references": "[{\"url\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-28195\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-13T18:15:07.360\",\"lastModified\":\"2025-02-12T15:16:31.260\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions \u003c 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"your_spotify es un panel de seguimiento de Spotify autohospedado y de c\u00f3digo abierto. Las versiones de YourSpotify \u0026lt; 1.9.0 no protegen la API ni el flujo de inicio de sesi\u00f3n contra la Cross-Site Request Forgery (CSRF). Los atacantes pueden usar esto para ejecutar ataques CSRF a las v\u00edctimas, permiti\u00e9ndoles recuperar, modificar o eliminar datos en la instancia de YourSpotify afectada. Al utilizar ataques CSRF repetidos, tambi\u00e9n es posible crear un nuevo usuario en la instancia de la v\u00edctima y promoverlo a administrador de la instancia si un administrador leg\u00edtimo visita un sitio web preparado por un atacante. Nota: La explotabilidad de esta vulnerabilidad en el mundo real depende de la versi\u00f3n y la configuraci\u00f3n del navegador que utiliza la v\u00edctima. Este problema se solucion\u00f3 en la versi\u00f3n 1.9.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.0\",\"matchCriteriaId\":\"D4D16B98-81FE-426E-BD95-42B155B9C613\"}]}]}],\"references\":[{\"url\":\"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"name\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"name\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:48:49.503Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28195\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-13T18:50:11.982715Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*\"], \"vendor\": \"yooooomi\", \"product\": \"your_spotify\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.9.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-19T17:21:48.529Z\"}}], \"cna\": {\"title\": \"Cross-Site Request Forgery (CSRF) vulnerability in API and login in your_spotify\", \"source\": {\"advisory\": \"GHSA-hfgf-99p3-6fjj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Yooooomi\", \"product\": \"your_spotify\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"name\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"name\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions \u003c 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-13T17:16:27.116Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-28195\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T15:18:39.854Z\", \"dateReserved\": \"2024-03-06T17:35:00.860Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-13T17:16:27.116Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…