Auto Bangumi
Monthly
Authentication bypass via hard-coded default credentials in AutoBangumi before 3.2.8 lets unauthenticated remote attackers log in as administrator using publicly known credentials that the application seeds at startup via add_default_user() whenever the users table is empty. Successful login grants full control over RSS feed and downloader configuration and every authenticated API endpoint (CVSS 4.0 9.3). No public exploit identified at time of analysis, but the credentials are public and exploitation is trivial against any un-upgraded, freshly-initialized instance.
Server-side request forgery in AutoBangumi before 3.2.8 allows unauthenticated remote attackers to probe internal network services by submitting arbitrary host values to the unprotected POST /api/v1/setup/test-downloader endpoint during the application's initial setup window. The server issues outbound HTTP GET requests to attacker-controlled targets - including internal or reserved IP ranges - and leaks reachability data through echoed connection-error responses, enabling internal network mapping. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.0 base score is 6.9 (Medium), reflecting unauthenticated network access with limited confidentiality impact.
Authentication bypass via hard-coded default credentials in AutoBangumi before 3.2.8 lets unauthenticated remote attackers log in as administrator using publicly known credentials that the application seeds at startup via add_default_user() whenever the users table is empty. Successful login grants full control over RSS feed and downloader configuration and every authenticated API endpoint (CVSS 4.0 9.3). No public exploit identified at time of analysis, but the credentials are public and exploitation is trivial against any un-upgraded, freshly-initialized instance.
Server-side request forgery in AutoBangumi before 3.2.8 allows unauthenticated remote attackers to probe internal network services by submitting arbitrary host values to the unprotected POST /api/v1/setup/test-downloader endpoint during the application's initial setup window. The server issues outbound HTTP GET requests to attacker-controlled targets - including internal or reserved IP ranges - and leaks reachability data through echoed connection-error responses, enabling internal network mapping. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.0 base score is 6.9 (Medium), reflecting unauthenticated network access with limited confidentiality impact.