Code Injection in SABnzbd - CVE-2023-34237
Published: December 27, 2023
SABnzbd
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation when handling parameters settings in the Notification Script functionality. A remote attacker with access to the application's web interface can pass specially crafted parameters and execute arbitrary code on the system.
Note, by default the web interface is accessible without authentication only from localhost.
How to mitigate CVE-2023-34237
Sources
- https://sabnzbd.org/wiki/configuration/4.0/general
- https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r
- https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc
- https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429
- https://security.gentoo.org/glsa/202312-11