autobrr qui CORS Misconfiguration Vulnerability Allowing Arbitrary Origins

A vulnerability exists in the CORS policy of the autobrr qui application, specifically in versions through 1.14.1. The policy allows arbitrary origins and includes credentials, enabling external websites to make authenticated requests on behalf of users. This could lead to the exfiltration of sensitive information, such as API keys and account credentials, or even a complete system compromise through the External Programs manager. Exploitation requires the victim to access the application via a non-localhost hostname and to load a malicious webpage.

Impact

Successful exploitation allows attackers to perform actions on behalf of the user, potentially leading to unauthorized access to sensitive data or a complete takeover of the user's system, depending on the application's deployment.

Reproduction

To reproduce this vulnerability, access the qui application on a non-localhost hostname. Then, load a malicious webpage that can interact with the application. This can be done through social engineering tactics, such as tricking the user into visiting the page.

Remediation

Users can update to version 1.15.0 or later, where this vulnerability has been addressed. For those unable to update, it's recommended to disable CORS or restrict it to trusted origins.