Detections
Analytics

CVE-2023-30626

high

Description

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

References

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m

https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10

https://github.com/jellyfin/jellyfin/pull/5918

https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7

https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44

https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq

Details

Source: Mitre, NVD

Published: 2023-04-24

Updated: 2023-05-04

Risk Information

CVSS v2

Base Score: 8.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Severity: High