Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
muffon has One-click Remote Code Execution via XSS and Custom URL Handling
Vulnerability Description
muffon is a cross-platform music streaming client for desktop. Versions prior to 2.3.0 have a one-click Remote Code Execution (RCE) vulnerability in. An attacker can exploit this issue by embedding a specially crafted `muffon://` link on any website they control. When a victim visits the site or clicks the link, the browser triggers Muffon’s custom URL handler, causing the application to launch and process the URL. This leads to RCE on the victim's machine without further interaction. Version 2.3.0 patches the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
muffon 代码注入漏洞
Vulnerability Description
muffon是Aleksey Shpakovsky个人开发者的一个音乐播放软件。 muffon 2.3.0之前版本存在代码注入漏洞,该漏洞源于特制muffon链接处理不当,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A