Input validation error in SABnzbd - CVE-2020-13124

 

Input validation error in SABnzbd - CVE-2020-13124

Published: August 1, 2020 / Updated: June 29, 2026


Vulnerability identifier: #VU135818
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-13124
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SABnzbd
Affected software:
SABnzbd

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in the isFAT() function in checkdir.py and related settings handling when processing specially crafted Completed Download Folder, Nice, or IONice Parameters settings through the web interface. A remote attacker can submit specially crafted settings values to execute arbitrary code.

Exploitation requires access to the web interface. By default, the web interface is only accessible from localhost, and Windows systems are not affected.


How to mitigate CVE-2020-13124

Install security update from vendor's website.

Sources