Movary
Monthly
Privilege escalation in Movary (self-hosted movie tracking app) versions before 0.71.1 allows any authenticated user to create administrator accounts and access user-management functions. The vulnerability stems from missing middleware enforcement and a broken boolean condition in authorization checks for /settings/users endpoints. Attack requires only low-privilege authenticated access (CVSS PR:L) with no user interaction (UI:N), enabling complete system takeover (C:H/I:H/A:H). Vendor has released patch version 0.71.1. No public exploit identified at time of analysis, but exploitation is trivial given the simple bypass mechanism.
{userId}` with `isAdmin=true` for their own user ID, low-privilege users gain full administrative access. Movary versions prior to 0.71.1 are affected. Vendor-released patch version 0.71.1 available. EPSS data not provided; no CISA KEV listing identified. GitHub references include security advisory GHSA-mcfq-8rx7-w25v and fix commit 12c8a090.
Server-Side Request Forgery in Movary movie tracking application allows authenticated users to probe internal networks and metadata endpoints. The /settings/jellyfin/server-url-verify endpoint accepts user-controlled URLs without validating against private IP ranges, enabling internal reconnaissance through the server's context. Affects all versions prior to 0.71.1. EPSS data not available, but exploitation requires only low-privilege authentication (CVSS PR:L) with no attack complexity, making this readily exploitable by any registered user. Upstream fix confirmed in version 0.71.1 via GitHub commit d459b35.
Movary has a third input validation vulnerability that allows authenticated users to delete arbitrary files from the server, potentially causing data loss or service disruption.
Movary has a second input validation vulnerability allowing authenticated users to write arbitrary files on the server, enabling code execution through web shell upload.
Movary movie tracking application has an input validation flaw that allows authenticated users to read arbitrary files from the server, potentially exposing configuration files and secrets.
Privilege escalation in Movary (self-hosted movie tracking app) versions before 0.71.1 allows any authenticated user to create administrator accounts and access user-management functions. The vulnerability stems from missing middleware enforcement and a broken boolean condition in authorization checks for /settings/users endpoints. Attack requires only low-privilege authenticated access (CVSS PR:L) with no user interaction (UI:N), enabling complete system takeover (C:H/I:H/A:H). Vendor has released patch version 0.71.1. No public exploit identified at time of analysis, but exploitation is trivial given the simple bypass mechanism.
{userId}` with `isAdmin=true` for their own user ID, low-privilege users gain full administrative access. Movary versions prior to 0.71.1 are affected. Vendor-released patch version 0.71.1 available. EPSS data not provided; no CISA KEV listing identified. GitHub references include security advisory GHSA-mcfq-8rx7-w25v and fix commit 12c8a090.
Server-Side Request Forgery in Movary movie tracking application allows authenticated users to probe internal networks and metadata endpoints. The /settings/jellyfin/server-url-verify endpoint accepts user-controlled URLs without validating against private IP ranges, enabling internal reconnaissance through the server's context. Affects all versions prior to 0.71.1. EPSS data not available, but exploitation requires only low-privilege authentication (CVSS PR:L) with no attack complexity, making this readily exploitable by any registered user. Upstream fix confirmed in version 0.71.1 via GitHub commit d459b35.
Movary has a third input validation vulnerability that allows authenticated users to delete arbitrary files from the server, potentially causing data loss or service disruption.
Movary has a second input validation vulnerability allowing authenticated users to write arbitrary files on the server, enabling code execution through web shell upload.
Movary movie tracking application has an input validation flaw that allows authenticated users to read arbitrary files from the server, potentially exposing configuration files and secrets.