CVE-2023-50258: 
Homebrew vulnerability analysis and mitigation

Medusa, an automatic video library manager for TV shows, was found to contain an unauthenticated blind server-side request forgery (SSRF) vulnerability in versions prior to 1.0.19. The vulnerability was discovered in December 2023 and tracked as CVE-2023-50258. The issue affects the testDiscord request handler in the application's web interface (GitHub Advisory, NVD).

The vulnerability exists in the testDiscord request handler within medusa/server/web/home/handler.py. The handler fails to validate the user-controlled discord_webhook variable, which is passed through multiple methods (notifiers.discord_notifier.test_notify, _notify_discord, and finally _send_discord_msg). The _send_discord_msg method sends a POST request to the user-controlled URL on line 64 in /medusa/notifiers/discord.py, leading to blind server-side request forgery. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Security Lab).

This vulnerability allows attackers to craft POST requests on behalf of the Medusa server, potentially enabling them to interact with internal services or perform unauthorized actions through the server (GitHub Advisory).

The vulnerability has been fixed in version 1.0.19 of Medusa. Users are advised to upgrade to this version or later. The recommended remediation approach includes implementing an allowlist with allowed domains to limit the possibility of sending POST requests on behalf of Medusa (GitHub Advisory, Release Notes).