CVE-2023-30627

Опубликовано: 24 апр. 2023

Источник: nvd

CVSS3: 9

CVSS3: 5.4

EPSS Низкий

Описание

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds.

Ссылки

https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee
Patch
https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10
Release Notes
https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq
Vendor Advisory
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m
Exploit
Patch
Vendor Advisory
https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee
Patch
https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10
Release Notes
https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq
Vendor Advisory
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m
Exploit
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

Версия от 10.1.0 (включая) до 10.8.10 (исключая)

EPSS

Процентиль: 73%

0.00783

Низкий

9 Critical

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

EPSS

Процентиль: 73%

0.00783

Низкий

9 Critical

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79