From SpinetiX Support Wiki
This page relates to security advisories.
Session fixation on the player web interface
|Affected Products||HMP350, HMP300, DiVA, HMP400, HMP400W, third-party players|
|Fixed Release Availability||Upgrade to firmware 4.7.1 or later.|
- CVSS Base Score: 7.1 (High)
- CVSS v3.1 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
The player web interface does not properly validate the existence of the session ID cookie presented by the browser during sign-in.
A malicious user is able to create a new session ID cookie value and inject it to a victim’s browser via a malicious web page. After the victim signs-in to the player, the injected cookie becomes valid, giving the attacker access to the user's account on the player through the active session. If the victim user has admin privileges, the attacker gains total control of the player.
This attack is mitigated by the fact that players are normally connected to private networks or otherwise protected by a network firewall, and thus the player’s embedded web server is not accessible from the Internet. Another mitigation is that the legitimate user needs to be convinced to open the malicious web page and the attacker needs some knowledge of the private network to successfully inject the session ID cookie.
At the time of publishing, there has been no report of this vulnerability being exploited.
- July 2, 2021: Initial public release