CVE-2024-28195
📋 TL;DR
CVE-2024-28195 is a Cross-Site Request Forgery (CSRF) vulnerability in your_spotify, an open-source self-hosted Spotify tracking dashboard. Attackers can exploit this to perform unauthorized actions on victims' instances, including data retrieval, modification, deletion, and potentially creating administrator accounts. All users running your_spotify versions below 1.9.0 are affected.
💻 Affected Systems
- your_spotify
📦 What is this software?
Your Spotify by Yooooomi
⚠️ Risk & Real-World Impact
Worst Case
Attackers can create new administrator accounts on the victim's instance, gaining full control to modify or delete all data, potentially compromising the entire installation.
Likely Case
Attackers can perform unauthorized actions on behalf of authenticated users, including retrieving, modifying, or deleting their Spotify tracking data.
If Mitigated
With proper CSRF protections implemented, all unauthorized cross-site requests would be blocked, preventing exploitation.
🎯 Exploit Status
Exploitation requires the victim to be authenticated to their your_spotify instance and visit a malicious website. Browser security settings may affect exploitability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.0
Vendor Advisory: https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj
Restart Required: Yes
Instructions:
1. Backup your current installation. 2. Stop the your_spotify service. 3. Update to version 1.9.0 or later using your package manager or by downloading from GitHub. 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
No official workarounds
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Isolate the your_spotify instance from untrusted networks and restrict access to trusted users only.
- Implement additional network-level protections such as web application firewalls (WAF) with CSRF protection rules.
🔍 How to Verify
Check if Vulnerable:
Check your your_spotify version. If it's below 1.9.0, you are vulnerable.Check Version:
Check the your_spotify web interface or configuration files for version information, or run: docker inspect your_spotify_container | grep -i versionVerify Fix Applied:
After updating, verify the version is 1.9.0 or higher and test that CSRF tokens are now required for API and login requests.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests without CSRF tokens
- Multiple failed login attempts from unexpected sources
- Unexpected user creation or privilege escalation events
Network Indicators:
- HTTP POST requests to your_spotify API endpoints without proper Referer headers or CSRF tokens
- Requests originating from unexpected domains
SIEM Query:
source="your_spotify_logs" AND (http_method="POST" AND NOT csrf_token=*) OR (event_type="user_created" OR event_type="privilege_change")🔗 References
- https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4
- https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj
- https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4
- https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj
