CVE-2023-50258
- Source
- https://cve.org/CVERecord?id=CVE-2023-50258
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-50258.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-50258
- Aliases
-
- GHSA-3hph-6586-qv9g
- Published
- 2023-12-22T16:55:58.406Z
- Modified
- 2025-12-05T00:12:53.023197Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Blind SSRF in `/home/testdiscord` endpoint
- Details
-
Medusa is an automatic video library manager for TV shows. Versions prior to 1.0.19 are vulnerable to unauthenticated blind server-side request forgery (SSRF). The
testDiscordrequest handler inmedusa/server/web/home/handler.pydoes not validate the user-controlleddiscord_webhookvariable and passes it to thenotifiers.discord_notifier.test_notifymethod, then_notify_discordand finally_send_discord_msgmethod, which sends a POST request to the user-controlled URL on line 64 in/medusa/notifiers/discord.py, which leads to a blind server-side request forgery. This issue allows for crafting POST requests on behalf of the Medusa server. Version 1.0.19 contains a fix for the issue. - Database specific
{ "cwe_ids": [ "CWE-918" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50258.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50258.json
- https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/notifiers/discord.py#L64
- https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/server/web/home/handler.py#L158
- https://github.com/pymedusa/Medusa/releases/tag/v1.0.19
- https://github.com/pymedusa/Medusa/security/advisories/GHSA-3hph-6586-qv9g
- https://nvd.nist.gov/vuln/detail/CVE-2023-50258
- https://securitylab.github.com/advisories/GHSL-2023-201_GHSL-2023-202_Medusa/
Affected packages
Git / github.com/pymedusa/medusa
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pymedusa/medusa
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.16-dev0
Other
initial-fork
v.*
v.0.4.6
v0.*
v0.1.0
v0.1.0rc2
v0.1.1
v0.1.10
v0.1.11
v0.1.12
v0.1.12rc1
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.19
v0.1.1dev1
v0.1.1rc1
v0.1.2
v0.1.20
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.2rc1
v0.1.3
v0.1.4
v0.1.4.1
v0.1.5
v0.1.5.1
v0.1.6
v0.1.7
v0.1.7.1
v0.1.8
v0.1.8.1
v0.1.9
v0.1.x
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.17
v0.5.18
v0.5.19
v0.5.2
v0.5.20
v0.5.21
v0.5.22
v0.5.23
v0.5.24
v0.5.25
v0.5.26
v0.5.27
v0.5.28
v0.5.29
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9