Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: settings.main.mediaServerType is set to PLEX (the most common deployment).; settings.jellyfin.ip is set to `` (default, meaning Jellyfin was never configured); and settings.main.newPlexLogin is set to true (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.
Weakness
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Seerr | Seerr | 2.0.0 (including) | 3.1.0 (excluding) |