CVE-2024-32963
MEDIUM4.2EPSS 0.35%Navidrome Parameter Tampering vulnerability
Published: 5/1/2024Modified: 6/4/2024
Description
### Summary Parameter tampering is a vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. ### Details The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. ### Impact Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated.
Affected packages (2)
- Go/github.com/navidrome/navidromefrom 0, < 0.52.0
- Go/github.com/navidrome/navidromefrom 0, < 0.52.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |