Sickbeard Cross-Site Request Forgery Vulnerability Allowing Authentication Bypass
Vulnerability
A cross-site request forgery (CSRF) vulnerability has been identified in Sickbeard alpha. This vulnerability allows attackers to disable authentication by sending crafted configuration parameters. By tricking users into submitting a malicious form, attackers can clear the web username and password fields, effectively removing authentication requirements. The vulnerability is present in Sickbeard versions prior to the latest commit on October 27, 2024.
Impact
Exploitation of this vulnerability disables authentication, allowing unauthorized access to the application.
Reproduction
To reproduce this vulnerability, send a POST request to the '/config/general/saveGeneral' endpoint with the 'web_username' and 'web_password' fields cleared. This can be done by submitting a form that includes the other required configuration parameters, such as 'log_dir', 'web_port', 'https_cert', 'https_key', and 'api_key', while leaving the username and password fields empty. After the form is submitted, a server restart is needed for the changes to take effect.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.