{"id":"PYSEC-2019-254","details":"In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area).","modified":"2025-10-09T06:52:53.458752Z","published":"2019-12-18T18:15:00Z","withdrawn":"2024-11-22T04:37:05Z","references":[{"type":"WEB","url":"https://github.com/Tautulli/Tautulli/compare/v2.1.9...v2.1.10-beta"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/155710/Tautulli-2.1.9-Cross-Site-Request-Forgery.html"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/155974/Tautulli-2.1.9-Denial-Of-Service.html"}],"affected":[{"package":{"name":"tautulli","ecosystem":"PyPI","purl":"pkg:pypi/tautulli"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.0","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.2.0","1.2.1","2.0.0","2.1.0.294","2.1.1.2103","2.1.1.294","3.0.0.2103","3.0.1.2103","3.0.2.2103","3.1.0.2103","3.1.1.2103","3.1.2.2103","3.1.3.2103","3.1.4.2120","3.2.0.2120","3.2.1.2120","3.3.0.2120","3.3.1.2120","3.4.0.2120","3.4.1.2120","3.5.0.2120","3.5.1.2120","3.5.2.2120","3.5.3.2120","3.6.0.2120","3.7.0.2120","4.0.2120","4.1.0.2140b0","4.2.0.2140b0","4.2.1.2140b0","4.2.2.2140b0","4.3.0.2140b0","4.3.1.2140","4.3.2.2140","4.3.3.2140","4.3.4.2140","4.4.0.2142","4.5.0.2142","4.5.1.2142","4.6.0.2142","4.6.1.2142","4.6.2.2142","4.6.3.2142","4.6.4.2142","4.6.5.2142","4.6.6.2142","4.6.7.2142"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/tautulli/PYSEC-2019-254.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}