Описание
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.
Ссылки
- Vendor Advisory
- ExploitVendor Advisory
- Patch
- PatchVendor Advisory
- Release Notes
- ExploitPatchVendor Advisory
- Vendor Advisory
- ExploitVendor Advisory
- Patch
- PatchVendor Advisory
- Release Notes
- ExploitPatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 10.8.0 (включая) до 10.8.10 (исключая)
cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*
EPSS
Процентиль: 76%
0.00994
Низкий
8.8 High
CVSS3
8.1 High
CVSS3
Дефекты
CWE-22
Связанные уязвимости
CVSS3: 8.8
debian
почти 3 года назад
Jellyfin is a free-software media system. Versions starting with 10.8. ...
CVSS3: 8.8
github
почти 3 года назад
Directory traversal + file write causing arbitrary code execution
EPSS
Процентиль: 76%
0.00994
Низкий
8.8 High
CVSS3
8.1 High
CVSS3
Дефекты
CWE-22