Tautulli Cross-Origin Script Injection and API Key Theft Vulnerability

A vulnerability in Tautulli, a monitoring tool for Plex Media Server, allows for cross-origin script injection and theft of API keys. This issue affects Tautulli versions 1.3.10 prior to 2.17.0. The vulnerability arises from an unsanitized JSONP callback parameter that is directly concatenated into a JavaScript response, enabling the injection of arbitrary scripts. In unauthenticated installations, this exploitation can lead to unauthorized access to the Tautulli API by stealing the API key, which grants full administrative rights.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript injection, which can be executed in the context of the victim's browser. Additionally, in unauthenticated installations, it enables cross-origin theft of the Tautulli API key, providing unauthorized administrative access.

Reproduction

The vulnerability can be reproduced by sending a request to the Tautulli API v2 with a crafted JSONP callback parameter. This can be done using a self-contained browser proof-of-concept that demonstrates both impacts: the script injection and the API key theft. The Tautulli instance must be running without an HTTP password for the API key theft to be possible.

Remediation

Users are advised to update Tautulli to version 2.17.0, where this vulnerability has been patched.