Vulnerability Details CVE-2023-50265
Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 57.2%
CVSS Severity
CVSS v3 Score 7.5
References
- https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
- https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
- https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/
- https://github.com/morpheus65535/bazarr/commit/17add7fbb3ae1919a40d505470d499d46df9ae6b
- https://github.com/morpheus65535/bazarr/releases/tag/v1.3.1
- https://securitylab.github.com/advisories/GHSL-2023-192_GHSL-2023-194_bazarr/
Products affected by CVE-2023-50265
-
cpe:2.3:a:bazarr:bazarr:-
-
cpe:2.3:a:bazarr:bazarr:0.6.0
-
cpe:2.3:a:bazarr:bazarr:0.6.1
-
cpe:2.3:a:bazarr:bazarr:0.6.2
-
cpe:2.3:a:bazarr:bazarr:0.6.3
-
cpe:2.3:a:bazarr:bazarr:0.6.4
-
cpe:2.3:a:bazarr:bazarr:0.6.5
-
cpe:2.3:a:bazarr:bazarr:0.6.6
-
cpe:2.3:a:bazarr:bazarr:0.6.6.1
-
cpe:2.3:a:bazarr:bazarr:0.6.6.2
-
cpe:2.3:a:bazarr:bazarr:0.6.6.3
-
cpe:2.3:a:bazarr:bazarr:0.6.7
-
cpe:2.3:a:bazarr:bazarr:0.6.7.1
-
cpe:2.3:a:bazarr:bazarr:0.6.8
-
cpe:2.3:a:bazarr:bazarr:0.6.9
-
cpe:2.3:a:bazarr:bazarr:0.6.9.1
-
cpe:2.3:a:bazarr:bazarr:0.7.0
-
cpe:2.3:a:bazarr:bazarr:0.7.0.1
-
cpe:2.3:a:bazarr:bazarr:0.7.0.2
-
cpe:2.3:a:bazarr:bazarr:0.7.0.3
-
cpe:2.3:a:bazarr:bazarr:0.7.0.4
-
cpe:2.3:a:bazarr:bazarr:0.7.0.5
-
cpe:2.3:a:bazarr:bazarr:0.7.1
-
cpe:2.3:a:bazarr:bazarr:0.7.2
-
cpe:2.3:a:bazarr:bazarr:0.7.2.1
-
cpe:2.3:a:bazarr:bazarr:0.7.3
-
cpe:2.3:a:bazarr:bazarr:0.7.4
-
cpe:2.3:a:bazarr:bazarr:0.7.5
-
cpe:2.3:a:bazarr:bazarr:0.7.5.1
-
cpe:2.3:a:bazarr:bazarr:0.8
-
cpe:2.3:a:bazarr:bazarr:0.8.1
-
cpe:2.3:a:bazarr:bazarr:0.8.2
-
cpe:2.3:a:bazarr:bazarr:0.8.2.1
-
cpe:2.3:a:bazarr:bazarr:0.8.2.2
-
cpe:2.3:a:bazarr:bazarr:0.8.2.3
-
cpe:2.3:a:bazarr:bazarr:0.8.2.4
-
cpe:2.3:a:bazarr:bazarr:0.8.3
-
cpe:2.3:a:bazarr:bazarr:0.8.3.1
-
cpe:2.3:a:bazarr:bazarr:0.8.3.2
-
cpe:2.3:a:bazarr:bazarr:0.8.3.3
-
cpe:2.3:a:bazarr:bazarr:0.8.3.4
-
cpe:2.3:a:bazarr:bazarr:0.8.4
-
cpe:2.3:a:bazarr:bazarr:0.8.4.1
-
cpe:2.3:a:bazarr:bazarr:0.8.4.2
-
cpe:2.3:a:bazarr:bazarr:0.8.4.3
-
cpe:2.3:a:bazarr:bazarr:0.8.4.4
-
cpe:2.3:a:bazarr:bazarr:0.9
-
cpe:2.3:a:bazarr:bazarr:0.9.0.1
-
cpe:2.3:a:bazarr:bazarr:0.9.0.2
-
cpe:2.3:a:bazarr:bazarr:0.9.0.3
-
cpe:2.3:a:bazarr:bazarr:0.9.0.4
-
cpe:2.3:a:bazarr:bazarr:0.9.0.5
-
cpe:2.3:a:bazarr:bazarr:0.9.0.6
-
cpe:2.3:a:bazarr:bazarr:0.9.0.7
-
cpe:2.3:a:bazarr:bazarr:0.9.0.8
-
cpe:2.3:a:bazarr:bazarr:0.9.1
-
cpe:2.3:a:bazarr:bazarr:0.9.1.1
-
cpe:2.3:a:bazarr:bazarr:0.9.10
-
cpe:2.3:a:bazarr:bazarr:0.9.2
-
cpe:2.3:a:bazarr:bazarr:0.9.3
-
cpe:2.3:a:bazarr:bazarr:0.9.4
-
cpe:2.3:a:bazarr:bazarr:0.9.5
-
cpe:2.3:a:bazarr:bazarr:0.9.6
-
cpe:2.3:a:bazarr:bazarr:0.9.7
-
cpe:2.3:a:bazarr:bazarr:0.9.8
-
cpe:2.3:a:bazarr:bazarr:0.9.9
-
cpe:2.3:a:bazarr:bazarr:1.0.0
-
cpe:2.3:a:bazarr:bazarr:1.0.1
-
cpe:2.3:a:bazarr:bazarr:1.0.2
-
cpe:2.3:a:bazarr:bazarr:1.0.3
-
cpe:2.3:a:bazarr:bazarr:1.0.4
-
cpe:2.3:a:bazarr:bazarr:1.0.5
-
cpe:2.3:a:bazarr:bazarr:1.1.0
-
cpe:2.3:a:bazarr:bazarr:1.1.1
-
cpe:2.3:a:bazarr:bazarr:1.1.2
-
cpe:2.3:a:bazarr:bazarr:1.1.3
-
cpe:2.3:a:bazarr:bazarr:1.1.4
-
cpe:2.3:a:bazarr:bazarr:1.1.5
-
cpe:2.3:a:bazarr:bazarr:1.2.0
-
cpe:2.3:a:bazarr:bazarr:1.2.1
-
cpe:2.3:a:bazarr:bazarr:1.2.2
-
cpe:2.3:a:bazarr:bazarr:1.2.3
-
cpe:2.3:a:bazarr:bazarr:1.2.4
-
cpe:2.3:a:bazarr:bazarr:1.2.5
-
cpe:2.3:a:bazarr:bazarr:1.3.0