CVE-2023-50259
- Source
- https://cve.org/CVERecord?id=CVE-2023-50259
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-50259.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-50259
- Aliases
-
- GHSA-8mcr-vffr-jwxv
- Published
- 2023-12-22T17:00:00.976Z
- Modified
- 2025-11-29T15:06:32.729501Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Blind SSRF in /home/testslack endpoint
- Details
-
Medusa is an automatic video library manager for TV shows. Versions prior to 1.0.19 are vulnerable to unauthenticated blind server-side request forgery (SSRF). The
testslackrequest handler inmedusa/server/web/home/handler.pydoes not validate the user-controlledslack_webhookvariable and passes it to thenotifiers.slack_notifier.test_notifymethod, then_notify_slackand finally_send_slackmethod, which sends a POST request to the user-controlled URL on line 103 in/medusa/notifiers/slack.py, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting POST requests on behalf of the Medusa server. Version 1.0.19 contains a fix for the issue. - Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50259.json", "cwe_ids": [ "CWE-918" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50259.json
- https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/notifiers/slack.py#L103
- https://github.com/pymedusa/Medusa/blob/3d656652ab277e47689483912ed7fc443e7023e8/medusa/server/web/home/handler.py#L168
- https://github.com/pymedusa/Medusa/releases/tag/v1.0.19
- https://github.com/pymedusa/Medusa/security/advisories/GHSA-8mcr-vffr-jwxv
- https://nvd.nist.gov/vuln/detail/CVE-2023-50259
- https://securitylab.github.com/advisories/GHSL-2023-201_GHSL-2023-202_Medusa/
Affected packages
Git / github.com/pymedusa/medusa
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pymedusa/medusa
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.16-dev0
Other
initial-fork
v.*
v.0.4.6
v0.*
v0.1.0
v0.1.0rc2
v0.1.1
v0.1.10
v0.1.11
v0.1.12
v0.1.12rc1
v0.1.13
v0.1.14
v0.1.15
v0.1.16
v0.1.17
v0.1.18
v0.1.19
v0.1.1dev1
v0.1.1rc1
v0.1.2
v0.1.20
v0.1.21
v0.1.22
v0.1.23
v0.1.24
v0.1.2rc1
v0.1.3
v0.1.4
v0.1.4.1
v0.1.5
v0.1.5.1
v0.1.6
v0.1.7
v0.1.7.1
v0.1.8
v0.1.8.1
v0.1.9
v0.1.x
v0.2.0
v0.2.1
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.3.1
v0.3.10
v0.3.11
v0.3.12
v0.3.13
v0.3.14
v0.3.15
v0.3.16
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.15
v0.5.16
v0.5.17
v0.5.18
v0.5.19
v0.5.2
v0.5.20
v0.5.21
v0.5.22
v0.5.23
v0.5.24
v0.5.25
v0.5.26
v0.5.27
v0.5.28
v0.5.29
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.12
v1.0.13
v1.0.14
v1.0.15
v1.0.16
v1.0.17
v1.0.18
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9