Vulnerabilities > CVE-2017-9355 - Server-Side Request Forgery (SSRF) vulnerability in Subsonic 6.1.1

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

subsonic

CWE-918

exploit available

NVD

Published: 2017-06-07

Updated: 2017-08-13

Summary

XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted XSPF playlist file.

Vulnerable Configurations

Part	Description	Count
Application	Subsonic Subsonic Subsonic 6.1.1	1

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Exploit-Db

description	Subsonic 6.1.1 - XML External Entity Injection. CVE-2017-9355. Local exploit for Windows platform
file	exploits/windows/local/42119.txt
id	EDB-ID:42119
last seen	2017-06-05
modified	2017-06-05
platform	windows
port
published	2017-06-05
reporter	Exploit-DB
source	https://www.exploit-db.com/download/42119/
title	Subsonic 6.1.1 - XML External Entity Injection
type	local

Packetstorm

data source	https://packetstormsecurity.com/files/download/142795/SUBSONIC-XML-EXTERNAL-ENITITY.txt
id	PACKETSTORM:142795
last seen	2017-06-05
published	2017-06-03
reporter	hyp3rlinx
source	https://packetstormsecurity.com/files/142795/Subsonic-6.1.1-XML-External-Entity-Attack.html
title	Subsonic 6.1.1 XML External Entity Attack

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References