Directory traversal vulnerability in Cherry Music prior to 0.36.0 allows remote authenticated users to read arbitrary files via the "value" parameter to "download."
fomori cherrymusic