Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-12-15T20:42:25.409Z
Updated: 2024-08-02T22:16:46.301Z
Reserved: 2023-12-05T20:42:59.379Z
Link: CVE-2023-50265
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-12-15T21:15:08.943
Modified: 2023-12-19T20:37:58.280
Link: CVE-2023-50265
Redhat
No data.