CVE-2023-50265

Name of the Vulnerable Software and Affected Versions Bazarr versions prior to 1.3.1

Description The issue arises from the lack of validation of the user-controlled filename variable in the /api/swaggerui/static endpoint, which is located in bazarr/app/ui.py. This oversight allows the variable to be used in the send file function, resulting in an arbitrary file read on the system.

Recommendations For versions prior to 1.3.1, update to version 1.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the /api/swaggerui/static endpoint until the update is applied. Avoid using the filename variable in the affected endpoint until the issue is resolved.