Code Injection in SABnzbd - CVE-2023-34237

 

Code Injection in SABnzbd - CVE-2023-34237

Published: December 27, 2023


Vulnerability identifier: #VU84804
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-34237
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SABnzbd
Affected software:
SABnzbd

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when handling parameters settings in the Notification Script functionality. A remote attacker with access to the application's web interface can pass specially crafted parameters and execute arbitrary code on the system.

Note, by default the web interface is accessible without authentication only from localhost.


How to mitigate CVE-2023-34237

Install updates from vendor's website.

Sources