GHSA-36hm-c9f8-f8xcMediumCVSS 5.3
Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its...
🔗 CVE IDs covered (1)
📋 Description
Lyrion Music Server 9.2.0 contains an arbitrary directory listing vulnerability in its readdirectory query, exposed through both the CLI service (TCP port 9090) and the HTTP JSON-RPC endpoint (/jsonrpc.js). The query accepts a folder parameter and lists its contents with no restriction to the configured media directories and no authentication in the default configuration, allowing a remote, unauthenticated attacker to enumerate arbitrary locations on the host filesystem.