CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43801 – Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin
https://notcve.org/view.php?id=CVE-2024-43801
Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via "view image" in a browser), this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin's WebUI, i.e. it is not a passive attack. The underlying exploit mechanism is solved by PR #12490, which forces attached images (including the potential malicious SVG) to be treated as attachments and thus downloaded by browsers, rather than viewed. • https://github.com/jellyfin/jellyfin/security/advisories/GHSA-vcmh-9wx9-rfqh https://github.com/jellyfin/jellyfin/pull/12490 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2023-48702 – Jellyfin Possible Remote Code Execution via custom FFmpeg binary
https://notcve.org/view.php?id=CVE-2023-48702
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13. Jellyfin es un sistema para gestionar y transmitir medios. • https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49096 – Argument Injection in FFmpeg codec parameters in Jellyfin
https://notcve.org/view.php?id=CVE-2023-49096
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution. Those endpoints are reachable by an unauthenticated user. • https://cwe.mitre.org/data/definitions/88.html https://en.wikipedia.org/wiki/Pass_the_hash https://ffmpeg.org/ffmpeg-filters.html#drawtext-1 https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a https://github.com/jellyfin/jellyfin/issues/5415 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30627 – jellyfin-web has a stored cross-site scripting vulnerability in devices.js
https://notcve.org/view.php?id=CVE-2023-30627
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds. • https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10 https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-30626 – Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-30626
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds. • https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44 https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7 https://github.com/jellyfin/jellyfin/pull/5918 https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •