Seerr: Unauthorized Users Can Access Other Users' Data

Summary

Seerr, a media manager used with popular media platforms, has a security flaw that lets authenticated users see and change data belonging to other users. This means a malicious user could access and alter information they shouldn't be able to. Update to the latest version of Seerr, 3.1.0, to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
seerr	seerr	> 2.7.0 , <= 3.1.0	–

Original title

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and ...

Original description

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other users. This issue is due to the absence of the `isOwnProfileOrAdmin()` middleware on several push subscription API routes. Version 3.1.0 fixes the issue.

nvd CVSS3.1 5.4

Vulnerability type

CWE-862 Missing Authorization

https://github.com/seerr-team/seerr/commit/946bdecec524b4e7f8aaf8f2b3856f319a358... Patch
https://github.com/seerr-team/seerr/releases/tag/v3.1.0 Product Release Notes
https://github.com/seerr-team/seerr/security/advisories/GHSA-gx3h-3jg5-q65f Vendor Advisory