jellyfin-web has a stored cross-site scripting vulnerability in devices.js
CVE-2023-30627
9.1CRITICAL
What is CVE-2023-30627?
A stored cross-site scripting vulnerability exists in the web client of Jellyfin, affecting versions from 10.1.0 up to, but not including, 10.8.10. This vulnerability in device.js allows attackers to execute arbitrary commands on the REST endpoints with admin privileges. When exploited in conjunction with another vulnerability, remote code execution can occur within the context of the user running the instance. Users are advised to upgrade to version 10.8.10 or later, as there are no known workarounds for this security issue.
Affected Version(s)
jellyfin-web >= 10.1.0, < 10.8.10