{"id":"PYSEC-2017-99","details":"Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the \"value\" parameter to \"download.\"","aliases":["CVE-2015-8309","GHSA-q624-9634-77gh"],"modified":"2024-04-29T17:26:31.883748Z","published":"2017-03-27T15:59:00Z","references":[{"type":"WEB","url":"https://www.exploit-db.com/exploits/40361/"},{"type":"REPORT","url":"https://github.com/devsnd/cherrymusic/issues/598"},{"type":"FIX","url":"https://github.com/devsnd/cherrymusic/commit/62dec34a1ea0741400dd6b6c660d303dcd651e86"},{"type":"WEB","url":"http://www.fomori.org/cherrymusic/Changes.html"},{"type":"WEB","url":"http://www.securityfocus.com/bid/97149"}],"affected":[{"package":{"name":"cherrymusic","ecosystem":"PyPI","purl":"pkg:pypi/cherrymusic"},"ranges":[{"type":"GIT","repo":"https://github.com/devsnd/cherrymusic","events":[{"introduced":"0"},{"fixed":"62dec34a1ea0741400dd6b6c660d303dcd651e86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.36.0"}]}],"versions":["0.30.0","0.31.0","0.31.1","0.31.2","0.32.0","0.33.0","0.34.0","0.34.1","0.35.1","0.35.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/cherrymusic/PYSEC-2017-99.yaml"}}],"schema_version":"1.7.3"}