5.4 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
7 packages
- overseerr
- jellyseerr
- python312Packages.python-overseerr
- python313Packages.python-overseerr
- python314Packages.python-overseerr
- home-assistant-component-tests.overseerr
- tests.home-assistant-component-tests.overseerr
- @LeSuisse dismissed
Seerr missing authentication on pushSubscription endpoints
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.
References
- https://github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65f x_refsource_CONFIRM
- https://github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a3580c1 x_refsource_MISC
- https://github.com/seerr-team/seerr/releases/tag/v3.1.0 x_refsource_MISC
Affected products
- ==>= 2.7.0, < 3.1.0
Ignored packages (7)
pkgs.overseerr
Request management and media discovery tool for the Plex ecosystem
pkgs.jellyseerr
Fork of overseerr for jellyfin support
pkgs.python312Packages.python-overseerr
Client for Overseerr
pkgs.python313Packages.python-overseerr
Client for Overseerr
pkgs.python314Packages.python-overseerr
Client for Overseerr
pkgs.home-assistant-component-tests.overseerr
Open source home automation that puts local control and privacy first
pkgs.tests.home-assistant-component-tests.overseerr
Open source home automation that puts local control and privacy first