Seerr Missing Authorization Vulnerability in Push Subscription Endpoints

A missing authorization vulnerability has been identified in Seerr, an open-source media request and discovery manager for Jellyfin, Plex, and Emby. This vulnerability affects versions 2.7.0 and prior to 3.1.0. The issue allows authenticated users to access and modify data belonging to other users, specifically by manipulating the userId parameter in the URL to view or delete push subscriptions of other users. The root cause of this vulnerability is the absence of the isOwnProfileOrAdmin() middleware on several push subscription API routes.

Impact

Exploitation of this vulnerability allows authenticated users to access and delete push subscriptions belonging to other users.

Reproduction

To reproduce this vulnerability, an authenticated user can send requests to the affected push subscription API routes without the proper authorization. The missing isOwnProfileOrAdmin() middleware allows for unauthorized access and modification of push subscription data by simply changing the userId parameter in the URL to that of another user.

Remediation

Users can upgrade to Seerr version 3.1.0, which addresses this vulnerability by adding the necessary authorization middleware to the affected routes.