Headline
CVE-2022-23603: Build software better, together
iTunesRPC-Remastered is a discord rich presence application for use with iTunes & Apple Music. In code before commit 24f43aa user input is not properly sanitized and code injection is possible. Users are advised to upgrade as soon as is possible. There are no known workarounds for this issue.
Package
server.py (Flask)
Affected versions
>private.debug.3
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability is a XSS and Improper Encoding vulnerability. AFAIK, only servers are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
No patches have been released yet.
As of commit 24f43aa, the issue has been fixed. No official releases are affected. Commits 7f9dd66, b39ad02, 96cc9f2, 4d0f88b, c29b3c8, 953fd83, 355a474, and 54b02d9 are all still vulnerable.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users can manually add escaping to the server and client, or upgrade to commit 24f43aa.
For more information
If you have any questions or comments about this advisory:
- Email us at [email protected]
CWEs
CVSS Score
9.9 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L