Medium severity4.3NVD Advisory· Published Mar 27, 2017· Updated May 13, 2026

CVE-2015-8309

Description

Directory traversal vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
CherryMusicPyPI	< 0.36.0	0.36.0

Patches

62dec34a1ea0

fixes for CVE-2015-8309 (download arbitrary files) and CVE-2015-8309 (XSS vulnerability)

https://github.com/devsnd/cherrymusicTom WallrothNov 21, 2015via ghsa

commit

2 files changed · +8 −3

cherrymusicserver/httphandler.py+5 −1 modified

@@ -300,7 +300,11 @@ def download_check_files(self, filelist):
                 return 'not_permitted'
         # make sure nobody tries to escape from basedir
         for f in filelist:
-            if '/../' in f:
+            # don't allow to traverse up in the file system
+            if '/../' in f or f.startswith('../'):
+                return 'invalid_file'
+            # CVE-2015-8309: do not allow absolute file paths
+            if os.path.isabs(f):
                 return 'invalid_file'
         # make sure all files are smaller than maximum download size
         size_limit = cherry.config['media.maximum_download_size']

res/js/playlistmanager.js+3 −2 modified

@@ -562,8 +562,9 @@ PlaylistManager.prototype = {
                 isunsaved += ' <em>(unsaved)</em>';
             }
 
-
-            pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+pl.name+ isunsaved;
+            // fix for CVE-2015-8310
+            var escaped_playlist_name = $("<div>").text(pl.name).html();
+            pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+escaped_playlist_name + isunsaved;
             if(pl.closable){
                 pltabs += '<span class="playlist-tab-closer pointer" href="#" onclick="playlistManager.closePlaylist('+pl.id+')">&times;</span>';
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/devsnd/cherrymusic/commit/62dec34a1ea0741400dd6b6c660d303dcd651e86nvdPatchThird Party AdvisoryWEB
www.exploit-db.com/exploits/40361/nvdExploitThird Party AdvisoryVDB Entry
www.fomori.org/cherrymusic/Changes.htmlnvdRelease NotesVendor AdvisoryWEB
github.com/advisories/GHSA-q624-9634-77ghghsaADVISORY
github.com/devsnd/cherrymusic/issues/598nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2015-8309ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/cherrymusic/PYSEC-2017-99.yamlghsaWEB
web.archive.org/web/20200227183321/http://www.securityfocus.com/bid/97149ghsaWEB
www.exploit-db.com/exploits/40361ghsaWEB
www.securityfocus.com/bid/97149nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.005
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000