Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="44"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#49">By Date</a>
<a href="50"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="44"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#49">By Thread</a>
<a href="50"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>
</div>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">CVE-2019-8939: XSS in Tautulli</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<em>From</em>: Geeknik Labs via Fulldisclosure <fulldisclosure () seclists org>
<em>Date</em>: Thu, 21 Feb 2019 19:10:11 +0000
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Tautulli (<a rel="nofollow" href="https://tautulli.com/">https://tautulli.com/</a>) is a Python based monitoring and tracking tool for Plex Media Server.
We discovered that an authenticated Plex Media Server user could change their Plex username to include JavaScript and
Tautulli would fail to sanitize the username so that when the Plex Media Server administrator viewed certain pages
generated by Tautulli, the JavaScript would be executed in the context of the server administrator.
This was disclosed to the project's issue tracker on 19 February 2019 and was marked as fixed in the next release by
the developer on 20 February 2019.
Initial Report: <a rel="nofollow" href="https://github.com/Tautulli/Tautulli-Issues/issues/161">https://github.com/Tautulli/Tautulli-Issues/issues/161</a>
Patch: <a rel="nofollow" href="https://github.com/Tautulli/Tautulli/commit/6a21d7690a40ea4678ad0908a6a1846c289cc943">https://github.com/Tautulli/Tautulli/commit/6a21d7690a40ea4678ad0908a6a1846c289cc943</a>
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives & RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="44"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#49">By Date</a>
<a href="50"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="44"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#49">By Thread</a>
<a href="50"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>CVE-2019-8939: XSS in Tautulli</strong> <em>Geeknik Labs via Fulldisclosure (Feb 22)</em>
</li></ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>