From SpinetiX Support Wiki

Jump to: navigation, search
Status: Resolved
Last Updated: July 2, 2021

This page relates to security advisories.

Session fixation on the player web interface

Affected Products HMP350, HMP300, DiVA, HMP400, HMP400W, third-party players
Severity High
Fixed Release Availability Upgrade to firmware 4.7.1 or later.


The player web interface does not properly validate the existence of the session ID cookie presented by the browser during sign-in.

A malicious user is able to create a new session ID cookie value and inject it to a victim’s browser via a malicious web page. After the victim signs-in to the player, the injected cookie becomes valid, giving the attacker access to the user's account on the player through the active session. If the victim user has admin privileges, the attacker gains total control of the player.

This attack is mitigated by the fact that players are normally connected to private networks or otherwise protected by a network firewall, and thus the player’s embedded web server is not accessible from the Internet. Another mitigation is that the legitimate user needs to be convinced to open the malicious web page and the attacker needs some knowledge of the private network to successfully inject the session ID cookie.

At the time of publishing, there has been no report of this vulnerability being exploited.


  1. July 2, 2021: Initial public release
This page was last modified on 20 December 2021, at 20:55.