Yooooomi Your Spotify vulnerabilities
5 known vulnerabilities affecting yooooomi/your_spotify.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2024-28194P2CRITICALCVSS 9.8fixed in 1.8.02024-03-13
CVE-2024-28194 [CRITICAL] CWE-798 CVE-2024-28194: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authentica
nvd
CVE-2024-28195P3HIGHCVSS 8.8fixed in 1.9.02024-03-13
CVE-2024-28195 [HIGH] CWE-352 CVE-2024-28195: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attac
nvd
CVE-2024-28193P3MEDIUMCVSS 6.5fixed in 1.8.02024-03-13
CVE-2024-28193 [MEDIUM] CWE-200 CVE-2024-28193: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 a
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify API access and refresh tokens to guest users. Attacke
nvd
CVE-2024-28192P4MEDIUMCVSS 5.3fixed in 1.8.02024-03-13
CVE-2024-28192 [MEDIUM] CWE-74 CVE-2024-28192: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 i
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 is vulnerable to NoSQL injection in the public access token processing logic. Attackers can fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisi
nvd
CVE-2024-28196P4MEDIUMCVSS 6.1fixed in 1.9.02024-03-13
CVE-2024-28196 [MEDIUM] CWE-1021 CVE-2024-28196: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0
your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current u
nvd