{"id":"PYSEC-2019-255","details":"data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.","modified":"2025-10-09T07:05:10.446348Z","published":"2019-02-19T16:29:00Z","withdrawn":"2024-11-22T04:37:05Z","references":[{"type":"REPORT","url":"https://github.com/Tautulli/Tautulli-Issues/issues/161"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/107171"}],"affected":[{"package":{"name":"tautulli","ecosystem":"PyPI","purl":"pkg:pypi/tautulli"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.0.0","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.2.0","1.2.1","2.0.0","2.1.0.294","2.1.1.2103","2.1.1.294","3.0.0.2103","3.0.1.2103","3.0.2.2103","3.1.0.2103","3.1.1.2103","3.1.2.2103","3.1.3.2103","3.1.4.2120","3.2.0.2120","3.2.1.2120","3.3.0.2120","3.3.1.2120","3.4.0.2120","3.4.1.2120","3.5.0.2120","3.5.1.2120","3.5.2.2120","3.5.3.2120","3.6.0.2120","3.7.0.2120","4.0.2120","4.1.0.2140b0","4.2.0.2140b0","4.2.1.2140b0","4.2.2.2140b0","4.3.0.2140b0","4.3.1.2140","4.3.2.2140","4.3.3.2140","4.3.4.2140","4.4.0.2142","4.5.0.2142","4.5.1.2142","4.6.0.2142","4.6.1.2142","4.6.2.2142","4.6.3.2142","4.6.4.2142","4.6.5.2142","4.6.6.2142","4.6.7.2142"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/tautulli/PYSEC-2019-255.yaml"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}