Medium severity5.4NVD Advisory· Published Mar 27, 2017· Updated May 13, 2026

CVE-2015-8310

Description

Cross-site scripting (XSS) vulnerability in Cherry Music before 0.36.0 allows remote authenticated users to inject arbitrary web script or HTML via the playlistname field when creating a new playlist.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cherry Music before 0.36.0 has a stored XSS vulnerability in the playlist creation feature, allowing authenticated users to inject arbitrary scripts.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Cherry Music prior to version 0.36.0. The playlistname field, when creating a new playlist, does not sanitize user input, allowing remote authenticated users to inject arbitrary web script or HTML. Versions 0.35.2, 0.35.1, 0.35, 0.34.1, 0.34, 0.33, 0.32, 0.31.2, 0.31.1, 0.31, 0.30, 0.29, 0.28, 0.27.2, 0.27.1, and earlier are affected [1][4]. The fix was introduced in version 0.36.0 [1][4].

Exploitation

An attacker must have a valid user account on the Cherry Music instance to exploit this vulnerability. No further privileges are required. The attacker creates a new playlist and enters a crafted payload (e.g., `) in the playlistname` field. When the playlist is saved, the malicious script is stored on the server. The payload executes in the browser of any user who views the playlist name, such as the playlist list or details page [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the authenticated victim's session. This can lead to session hijacking, defacement, or theft of sensitive data (cookies, tokens) displayed by the application. The attacker gains the same privileges as the victim within Cherry Music. The impact is limited to authenticated users who encounter the malicious playlist [1][2].

Mitigation

The vulnerability is fixed in Cherry Music version 0.36.0 [1][4]. Users should upgrade to this version or later. If upgrading is not immediately possible, the only workaround is to disable new playlist creation or sanitize the playlistname input server-side before the upgrade. No known exploits have been reported, and it is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
CherryMusicPyPI	< 0.36.0	0.36.0

Affected products

Fomori/Cherrymusic
cpe:2.3:a:fomori:cherrymusic:*:*:*:*:*:*:*:*
Range: <=0.35.2
ghsa-coords
pkg:pypi/cherrymusic
Range: < 0.36.0

Patches

62dec34a1ea0

fixes for CVE-2015-8309 (download arbitrary files) and CVE-2015-8309 (XSS vulnerability)

https://github.com/devsnd/cherrymusicTom WallrothNov 21, 2015via ghsa

commit

2 files changed · +8 −3

cherrymusicserver/httphandler.py+5 −1 modified

@@ -300,7 +300,11 @@ def download_check_files(self, filelist):
                 return 'not_permitted'
         # make sure nobody tries to escape from basedir
         for f in filelist:
-            if '/../' in f:
+            # don't allow to traverse up in the file system
+            if '/../' in f or f.startswith('../'):
+                return 'invalid_file'
+            # CVE-2015-8309: do not allow absolute file paths
+            if os.path.isabs(f):
                 return 'invalid_file'
         # make sure all files are smaller than maximum download size
         size_limit = cherry.config['media.maximum_download_size']

res/js/playlistmanager.js+3 −2 modified

@@ -562,8 +562,9 @@ PlaylistManager.prototype = {
                 isunsaved += ' <em>(unsaved)</em>';
             }
 
-
-            pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+pl.name+ isunsaved;
+            // fix for CVE-2015-8310
+            var escaped_playlist_name = $("<div>").text(pl.name).html();
+            pltabs += '<a href="#" onclick="playlistManager.showPlaylist('+pl.id+')">'+isplaying+' '+escaped_playlist_name + isunsaved;
             if(pl.closable){
                 pltabs += '<span class="playlist-tab-closer pointer" href="#" onclick="playlistManager.closePlaylist('+pl.id+')">&times;</span>';
             }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/devsnd/cherrymusic/commit/62dec34a1ea0741400dd6b6c660d303dcd651e86nvdPatchThird Party AdvisoryWEB
www.fomori.org/cherrymusic/Changes.htmlnvdRelease NotesVendor AdvisoryWEB
github.com/advisories/GHSA-4wcc-jv3p-prqwghsaADVISORY
github.com/devsnd/cherrymusic/issues/598nvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2015-8310ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/cherrymusic/PYSEC-2017-100.yamlghsaWEB
web.archive.org/web/20200227183347/http://www.securityfocus.com/bid/97148ghsaWEB
www.securityfocus.com/bid/97148nvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000