CVE-2023-49102

Name of the Vulnerable Software and Affected Versions NZBGet version 21.1

Description The issue allows authenticated remote code execution due to the unarchive programs (7za and unrar) preserving executable file permissions. An attacker with Control capability can execute a file by setting the value of SevenZipCommand or UnrarCmd. This issue only affects products that are no longer supported by the maintainer.

Recommendations For NZBGet version 21.1, consider disabling the SevenZipCommand and UnrarCmd settings to prevent exploitation until a patch is available. Restrict access to the unarchive programs (7za and unrar) to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.