CVE-2024-28195 (GCVE-0-2024-28195)
Vulnerability from cvelistv5
Published
2024-03-13 17:16
Modified
2025-04-15 15:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Yooooomi | your_spotify |
Version: < 1.9.0 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "your_spotify",
"vendor": "yooooomi",
"versions": [
{
"lessThan": "1.9.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28195",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T18:50:11.982715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T15:18:39.854Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"
},
{
"name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "your_spotify",
"vendor": "Yooooomi",
"versions": [
{
"status": "affected",
"version": "\u003c 1.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions \u003c 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T17:16:27.116Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"
},
{
"name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"
}
],
"source": {
"advisory": "GHSA-hfgf-99p3-6fjj",
"discovery": "UNKNOWN"
},
"title": "Cross-Site Request Forgery (CSRF) vulnerability in API and login in your_spotify"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28195",
"datePublished": "2024-03-13T17:16:27.116Z",
"dateReserved": "2024-03-06T17:35:00.860Z",
"dateUpdated": "2025-04-15T15:18:39.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-28195\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-13T18:15:07.360\",\"lastModified\":\"2025-02-12T15:16:31.260\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions \u003c 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"your_spotify es un panel de seguimiento de Spotify autohospedado y de c\u00f3digo abierto. Las versiones de YourSpotify \u0026lt; 1.9.0 no protegen la API ni el flujo de inicio de sesi\u00f3n contra la Cross-Site Request Forgery (CSRF). Los atacantes pueden usar esto para ejecutar ataques CSRF a las v\u00edctimas, permiti\u00e9ndoles recuperar, modificar o eliminar datos en la instancia de YourSpotify afectada. Al utilizar ataques CSRF repetidos, tambi\u00e9n es posible crear un nuevo usuario en la instancia de la v\u00edctima y promoverlo a administrador de la instancia si un administrador leg\u00edtimo visita un sitio web preparado por un atacante. Nota: La explotabilidad de esta vulnerabilidad en el mundo real depende de la versi\u00f3n y la configuraci\u00f3n del navegador que utiliza la v\u00edctima. Este problema se solucion\u00f3 en la versi\u00f3n 1.9.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.0\",\"matchCriteriaId\":\"D4D16B98-81FE-426E-BD95-42B155B9C613\"}]}]}],\"references\":[{\"url\":\"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"name\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"name\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T00:48:49.503Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28195\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-13T18:50:11.982715Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*\"], \"vendor\": \"yooooomi\", \"product\": \"your_spotify\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.9.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-19T17:21:48.529Z\"}}], \"cna\": {\"title\": \"Cross-Site Request Forgery (CSRF) vulnerability in API and login in your_spotify\", \"source\": {\"advisory\": \"GHSA-hfgf-99p3-6fjj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Yooooomi\", \"product\": \"your_spotify\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"name\": \"https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"name\": \"https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions \u003c 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-13T17:16:27.116Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-28195\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-15T15:18:39.854Z\", \"dateReserved\": \"2024-03-06T17:35:00.860Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-13T17:16:27.116Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…