7 matches found
CVE-2023-30627
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...
CVE-2023-30627
creationtimestamp| type| source ---|---|--- 2023-04-25 00:19:33+00:00| seen| https://t.me/cibsecurity/62768 2023-04-25 00:19:37+00:00| seen| https://t.me/cibsecurity/62771...
CVE-2023-30627
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...
Directory traversal
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability CVE-2023-30627, this can result...
CVE-2023-30627 jellyfin-web has a stored cross-site scripting vulnerability in devices.js
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...
CVE-2023-30627
Summary: CVE-2023-30627 is a stored XSS in jellyfin-web (device.js) affecting Jellyfin web client versions 10.1.0 up to, but not including, 10.8.10. Exploitation lets an attacker covertly call REST endpoints with admin privileges, and when chained with CVE-2023-30626 this can lead to remote code ...
CVE-2023-30627 jellyfin-web has a stored cross-site scripting vulnerability in devices.js
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...