CVE-2023-50259

Name of the Vulnerable Software and Affected Versions Medusa versions prior to 1.0.19

Description Medusa is an automatic video library manager for TV shows. The issue is related to unauthenticated blind server-side request forgery (SSRF). The testslack request handler in medusa/server/web/home/handler.py does not validate the user-controlled slack webhook variable and passes it to the notifiers.slack notifier.test notify method, then notify slack and finally send slack method, which sends a POST request to the user-controlled URL on line 103 in /medusa/notifiers/slack.py. This allows for crafting POST requests on behalf of the Medusa server.

Recommendations For versions prior to 1.0.19, update to version 1.0.19 to resolve the issue. As a temporary workaround, consider disabling the testslack request handler in medusa/server/web/home/handler.py until a patch is available. Restrict access to the notifiers.slack notifier module to minimize the risk of exploitation. Avoid using the slack webhook variable in the affected API endpoint until the issue is resolved.