jellyfin-web has a stored cross-site scripting vulnerability in devices.js
CVE-2023-30627

9.1CRITICAL

Key Information:

Vendor

Jellyfin

Status
Jellyfin-web
Vendor
CVE Published:
24 April 2023

What is CVE-2023-30627?

A stored cross-site scripting vulnerability exists in the web client of Jellyfin, affecting versions from 10.1.0 up to, but not including, 10.8.10. This vulnerability in device.js allows attackers to execute arbitrary commands on the REST endpoints with admin privileges. When exploited in conjunction with another vulnerability, remote code execution can occur within the context of the user running the instance. Users are advised to upgrade to version 10.8.10 or later, as there are no known workarounds for this security issue.

Affected Version(s)

jellyfin-web >= 10.1.0, < 10.8.10

References

https://github.com/jellyfin/jellyfin-web/security/advisor...
x_refsource_CONFIRM
https://github.com/jellyfin/jellyfin/security/advisories/...
x_refsource_MISC
https://github.com/jellyfin/jellyfin-web/commit/b88a5951e...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-30627 : jellyfin-web has a stored cross-site scripting vulnerability in devices.js