CVE-2018-25181 PUBLISHED

Musicco 2.0.0 Arbitrary Directory Download via Path Traversal

Assigner: VulnCheck
Reserved: 06.03.2026 Published: 06.03.2026 Updated: 06.03.2026

Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary directories by manipulating the parent parameter. Attackers can supply directory traversal sequences in the parent parameter of the getAlbum endpoint to access sensitive system directories and download them as ZIP files.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Musicco
Product Musicco
Versions
  • Version 2.0.0 is affected

Credits

  • Ihsan Sencan finder

References

Problem Types

  • Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE