KRTirtho
zero day exploit for spotube
Is there an existing issue for this? (Please read the description)
- [x] I have searched the existing issues
Current Behavior
https://github.com/s-b-repo/deadtube.py/tree/main hi i made a exploit for spotube please fix the api fully working zero day exploit for spotube you can change and control someones app if they are on the same network as you the songs play state
Expected Behavior
authenticate before running next song or running these commands
Steps to reproduce
connect to ip on port with url path then it executes commands
Logs
nn
Operating System
tested this using kali linux
Spotube version
v4.0.2
Installation source
GitHub Releases (Binary)
Additional information
No response
Self grab
- [ ] I'm ready to work on this issue!
Ok vulnerability is the path traversal by including ../ in track name. Even if attacker can put files in the host's machine it can't be executed remotely. But still it can be dangerous if the user accidentally executes a malicious file thinking it's an simple .m4a or an audio file
Thanks for submitting. I'll fix it asap
Ok vulnerability is the path traversal by including
../in track name. Even if attacker can put files in the host's machine it can't be executed remotely. But still it can be dangerous if the user accidentally executes a malicious file thinking it's an simple.m4aor an audio file Thanks for submitting. I'll fix it asap
no problem hope its a intrestting
