CVE-2023-50266

Name of the Vulnerable Software and Affected Versions Bazarr versions 1.2.4 through 1.3.0

Description Bazarr manages and downloads subtitles. The proxy method in bazarr/bazarr/app/ui.py does not validate the user-controlled protocol and url variables and passes them to requests.get() without any sanitization, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting GET requests to internal and external resources on behalf of the server.

Recommendations For versions 1.2.4 through 1.3.0, consider disabling the proxy method in bazarr/bazarr/app/ui.py until a full fix is available. For version 1.3.1, although it contains a partial fix, it is still recommended to restrict access to the proxy method to minimize the risk of exploitation, as the vulnerability is limited to HTTP/HTTPS protocols.