CVE-2023-50259: 
Homebrew vulnerability analysis and mitigation

Medusa, an automatic video library manager for TV shows, was found to contain an unauthenticated blind server-side request forgery (SSRF) vulnerability in versions prior to 1.0.19. The vulnerability was discovered in December 2023 and tracked as CVE-2023-50259. The issue affects the testslack request handler functionality in the application (GitHub Advisory, NVD).

The vulnerability exists in the testslack request handler in medusa/server/web/home/handler.py which fails to validate the user-controlled slack_webhook variable. This variable is passed through multiple methods (notifiers.slack_notifier.test_notify, _notify_slack, and finally _send_slack), ultimately resulting in a POST request to the user-controlled URL on line 103 in /medusa/notifiers/slack.py. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub Lab Advisory).

The vulnerability allows attackers to craft POST requests on behalf of the Medusa server. This could potentially lead to unauthorized access to internal resources or services through server-side request forgery (GitHub Advisory).

The vulnerability has been patched in version 1.0.19 of Medusa. Users are advised to upgrade to this version or later. For those unable to upgrade immediately, it is recommended to implement an allowlist with permitted domains to limit the possibility of unauthorized POST requests (GitHub Advisory).