{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28195", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-06T17:35:00.860Z", "datePublished": "2024-03-13T17:16:27.116Z", "dateUpdated": "2025-04-15T15:18:39.854Z"}, "containers": {"cna": {"title": "Cross-Site Request Forgery (CSRF) vulnerability in API and login in your_spotify", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"}, {"name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"}], "affected": [{"vendor": "Yooooomi", "product": "your_spotify", "versions": [{"version": "< 1.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-13T17:16:27.116Z"}, "descriptions": [{"lang": "en", "value": "your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-hfgf-99p3-6fjj", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "yooooomi", "product": "your_spotify", "cpes": ["cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.9.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-13T18:50:11.982715Z", "id": "CVE-2024-28195", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T15:18:39.854Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.503Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"}, {"name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj", "name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4", "name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.503Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28195", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-13T18:50:11.982715Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*"], "vendor": "yooooomi", "product": "your_spotify", "versions": [{"status": "affected", "version": "0", "lessThan": "1.9.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T17:21:48.529Z"}}], "cna": {"title": "Cross-Site Request Forgery (CSRF) vulnerability in API and login in your_spotify", "source": {"advisory": "GHSA-hfgf-99p3-6fjj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Yooooomi", "product": "your_spotify", "versions": [{"status": "affected", "version": "< 1.9.0"}]}], "references": [{"url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj", "name": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4", "name": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-13T17:16:27.116Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28195", "state": "PUBLISHED", "dateUpdated": "2025-04-15T15:18:39.854Z", "dateReserved": "2024-03-06T17:35:00.860Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-13T17:16:27.116Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yooooomi:your_spotify:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4D16B98-81FE-426E-BD95-42B155B9C613", "versionEndExcluding": "1.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "your_spotify es un panel de seguimiento de Spotify autohospedado y de c\u00f3digo abierto. Las versiones de YourSpotify &lt; 1.9.0 no protegen la API ni el flujo de inicio de sesi\u00f3n contra la Cross-Site Request Forgery (CSRF). Los atacantes pueden usar esto para ejecutar ataques CSRF a las v\u00edctimas, permiti\u00e9ndoles recuperar, modificar o eliminar datos en la instancia de YourSpotify afectada. Al utilizar ataques CSRF repetidos, tambi\u00e9n es posible crear un nuevo usuario en la instancia de la v\u00edctima y promoverlo a administrador de la instancia si un administrador leg\u00edtimo visita un sitio web preparado por un atacante. Nota: La explotabilidad de esta vulnerabilidad en el mundo real depende de la versi\u00f3n y la configuraci\u00f3n del navegador que utiliza la v\u00edctima. Este problema se solucion\u00f3 en la versi\u00f3n 1.9.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-28195", "lastModified": "2025-02-12T15:16:31.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-13T18:15:07.360", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}