Serviio PRO Information Disclosure Vulnerability in REST API
Vulnerability
An information disclosure vulnerability has been identified in Serviio PRO versions 1.8.0.0, 1.7.1, 1.7.0, and 1.6.1. This vulnerability arises from inadequate access control in the Configuration REST API, allowing unauthenticated remote attackers to access sensitive information. Exploitation involves sending specially crafted requests to the REST API endpoints, bypassing authentication to retrieve potentially confidential configuration data.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive information, including system directories and application-specific data such as media links and passwords.
Reproduction
The vulnerability can be reproduced by sending requests to the REST API endpoints without authentication. A proof-of-concept script is available that demonstrates how to exploit this vulnerability. The script can be used to list directories and retrieve the MediaBrowser password from the application's configuration.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.