CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2023-48702 – Jellyfin Possible Remote Code Execution via custom FFmpeg binary
https://notcve.org/view.php?id=CVE-2023-48702
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13. Jellyfin es un sistema para gestionar y transmitir medios. • https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49096 – Argument Injection in FFmpeg codec parameters in Jellyfin
https://notcve.org/view.php?id=CVE-2023-49096
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution. Those endpoints are reachable by an unauthenticated user. • https://cwe.mitre.org/data/definitions/88.html https://en.wikipedia.org/wiki/Pass_the_hash https://ffmpeg.org/ffmpeg-filters.html#drawtext-1 https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a https://github.com/jellyfin/jellyfin/issues/5415 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30627 – jellyfin-web has a stored cross-site scripting vulnerability in devices.js
https://notcve.org/view.php?id=CVE-2023-30627
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds. • https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10 https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27161
https://notcve.org/view.php?id=CVE-2023-27161
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request. • http://jellyfin.com https://gist.github.com/b33t1e/5c067e0538a0b712dc3d59bd4b9a5952 https://github.com/jellyfin/jellyfin https://notes.sjtu.edu.cn/s/yJ9lPk09a • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-35909
https://notcve.org/view.php?id=CVE-2022-35909
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. En Jellyfin versiones anteriores a 10.8, el endpoint /users presenta un control de acceso incorrecto para la funcionalidad de administrador. • https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit https://github.com/jellyfin/jellyfin/pull/7569/files https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058 •