CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-48702 – Jellyfin Possible Remote Code Execution via custom FFmpeg binary
https://notcve.org/view.php?id=CVE-2023-48702
13 Dec 2023 — Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13. Jellyfin es un sistema para gest... • https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 7%CPEs: 1EXPL: 1CVE-2023-49096 – Argument Injection in FFmpeg codec parameters in Jellyfin
https://notcve.org/view.php?id=CVE-2023-49096
06 Dec 2023 — Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution. Those endpoints are reachable by an unauthenticated user. • https://cwe.mitre.org/data/definitions/88.html • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30627 – jellyfin-web has a stored cross-site scripting vulnerability in devices.js
https://notcve.org/view.php?id=CVE-2023-30627
24 Apr 2023 — jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds. • https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 1CVE-2023-27161
https://notcve.org/view.php?id=CVE-2023-27161
10 Mar 2023 — Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request. • http://jellyfin.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35909
https://notcve.org/view.php?id=CVE-2022-35909
19 Aug 2022 — In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. En Jellyfin versiones anteriores a 10.8, el endpoint /users presenta un control de acceso incorrecto para la funcionalidad de administrador. • https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-35910
https://notcve.org/view.php?id=CVE-2022-35910
19 Aug 2022 — In Jellyfin before 10.8, stored XSS allows theft of an admin access token. En Jellyfin versiones anteriores a 10.8, un ataque de tipo XSS almacenado permite el robo de un token de acceso de administrador. • https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 90%CPEs: 1EXPL: 0CVE-2021-29490 – Unauthenticated GET requests through Remote Image endpoints
https://notcve.org/view.php?id=CVE-2021-29490
05 May 2021 — Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpo... • https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.7EPSS: 92%CPEs: 1EXPL: 3CVE-2021-21402 – Unauthenticated Arbitrary File Access in Jellyfin
https://notcve.org/view.php?id=CVE-2021-21402
23 Mar 2021 — Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. • https://github.com/givemefivw/CVE-2021-21402 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •