Source: sabnzbdplus X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for sabnzbdplus. CVE-2023-34237[0]: | SABnzbd is an open source automated Usenet download tool. A design | flaw was discovered in SABnzbd that could allow remote code | execution. Manipulating the Parameters setting in the Notification | Script functionality allows code execution with the privileges of | the SABnzbd process. Exploiting the vulnerabilities requires access | to the web interface. Remote exploitation is possible if | users[exposed their setup to the internet or other untrusted | networks without setting a username/password. By default SABnzbd is | only accessible from `localhost`, with no authentication required | for the web interface. This issue has been patched in commits | `e3a722` and `422b4f` which have been included in the 4.0.2 release. | Users are advised to upgrade. Users unable to upgrade should ensure | that a username and password have been set if their instance is web | accessible. https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc (4.0.2RC2) https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429 (4.0.2RC2) https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34237 https://www.cve.org/CVERecord?id=CVE-2023-34237 Please adjust the affected versions in the BTS as needed.
