CVE-2023-50264

EUVD-2023-55076
Bazarr manages and downloads subtitles. Prior to 1.3.1, Bazarr contains an arbitrary file read in /system/backup/download/ endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
bazarrbazarr
𝑥
< 1.3.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/
https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/