EUVD-2023-34993

Malicious code in bioql PyPI...

CVE-2023-30627

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...

CVE-2023-30627

Summary: CVE-2023-30627 is a stored XSS in jellyfin-web (device.js) affecting Jellyfin web client versions 10.1.0 up to, but not including, 10.8.10. Exploitation lets an attacker covertly call REST endpoints with admin privileges, and when chained with CVE-2023-30626 this can lead to remote code ...

CVE-2023-30627 jellyfin-web has a stored cross-site scripting vulnerability in devices.js

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...

CVE-2023-30627 jellyfin-web has a stored cross-site scripting vulnerability in devices.js

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...

PT-2023-22824 · Jellyfin · Jellyfin-Web

Name of the Vulnerable Software and Affected Versions: jellyfin-web versions 10.1.0 through 10.8.10 Description: A stored cross-site scripting issue in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. This can result in remote code execution on the Jellyf...

Jellyfin Web Cross-Site Scripting (XSS) via Collection Name

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim...