Remote code execution via specially crafted script settings in SABnzbd

SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution with the privileges of the SABnzbd process. Exploiting the vulnerabilities requires access to the web interface. Remote exploitation is possible if users[exposed their setup to the internet or other untrusted networks without setting a username/password. By default SABnzbd is only accessible from `localhost`, with no authentication required for the web interface. This issue has been patched in commits `e3a722` and `422b4f` which have been included in the 4.0.2 release. Users are advised to upgrade. Users unable to upgrade should ensure that a username and password have been set if their instance is web accessible.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

SABnzbd 代码注入漏洞

SABnzbd是SABnzbd开源的一个用 Python 编写的开源二进制新闻阅读器。 SABnzbd 1.1.0至4.0.2RC1版本存在代码注入漏洞，该漏洞源于允许以 SABnzbd 进程的权限执行代码。

N/A

N/A