CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43801 – Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin
https://notcve.org/view.php?id=CVE-2024-43801
02 Sep 2024 — Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via "view image" in a browser), this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual a... • https://github.com/jellyfin/jellyfin/security/advisories/GHSA-vcmh-9wx9-rfqh • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-48702 – Jellyfin Possible Remote Code Execution via custom FFmpeg binary
https://notcve.org/view.php?id=CVE-2023-48702
13 Dec 2023 — Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13. Jellyfin es un sistema para gest... • https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49096 – Argument Injection in FFmpeg codec parameters in Jellyfin
https://notcve.org/view.php?id=CVE-2023-49096
06 Dec 2023 — Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution. Those endpoints are reachable by an unauthenticated user. • https://cwe.mitre.org/data/definitions/88.html • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30627 – jellyfin-web has a stored cross-site scripting vulnerability in devices.js
https://notcve.org/view.php?id=CVE-2023-30627
24 Apr 2023 — jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds. • https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-30626 – Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-30626
24 Apr 2023 — Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds. • https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27161
https://notcve.org/view.php?id=CVE-2023-27161
10 Mar 2023 — Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request. • http://jellyfin.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-23635
https://notcve.org/view.php?id=CVE-2023-23635
03 Feb 2023 — In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim. • https://github.com/jellyfin/jellyfin-web/issues/3788 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-23636
https://notcve.org/view.php?id=CVE-2023-23636
03 Feb 2023 — In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim. • https://github.com/jellyfin/jellyfin-web/issues/3788 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35909
https://notcve.org/view.php?id=CVE-2022-35909
19 Aug 2022 — In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. En Jellyfin versiones anteriores a 10.8, el endpoint /users presenta un control de acceso incorrecto para la funcionalidad de administrador. • https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-35910
https://notcve.org/view.php?id=CVE-2022-35910
19 Aug 2022 — In Jellyfin before 10.8, stored XSS allows theft of an admin access token. En Jellyfin versiones anteriores a 10.8, un ataque de tipo XSS almacenado permite el robo de un token de acceso de administrador. • https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •