Thegebirge

**Nome do software vulnerável e versões afetadas** Versões do Kavita anteriores à 0.8.1 **Descrição** O problema surge quando um e-book contendo scripts maliciosos é aberto, levando à execução de código no contexto de navegação. Isso ocorre porque o Kavita não sanitiza nem isola em sandbox o conteúdo dos arquivos EPUB, permitindo que os scripts dentro dos e-books sejam executados. **Recomendações** Para versões anteriores à 0.8.1, atualize para a versão 0.8.1 para resolver o problema. Como solução temporária, considere evitar o uso de e-books de fontes não confiáveis até que a atualização seja aplicada.

**Nome do software vulnerável e versões afetadas** Versões do Audiobookshelf anteriores à 2.10.0 **Descrição** O Audiobookshelf é um servidor autohospedado de audiolivros e podcasts. Abrir um e-book contendo scripts maliciosos pode levar à execução de código no contexto de navegação. Se um usuário com privilégios elevados, como capacidade de upload ou criação de bibliotecas, for atacado, isso pode resultar em execução remota de código (RCE) no pior dos casos. Esta vulnerabilidade não se limita a um sistema operacional específico, pois a gravação arbitrária de arquivos é suficientemente poderosa para potencialmente levar à RCE em várias plataformas, incluindo o Linux. **Recomendações** Para versões anteriores à 2.10.0, atualize para a versão 2.10.0 para resolver o problema. Como solução temporária, considere restringir os privilégios dos usuários, especialmente aqueles relacionados ao upload e à criação de bibliotecas, para minimizar o risco de exploração. Além disso, evite abrir e-books de fontes não confiáveis para reduzir o risco de execução de código.

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.8.13 **Description** The issue concerns an argument injection in the VideosController, specifically the "/Videos/<itemId>/stream" and "/Videos/<itemId>/stream.<container>" endpoints, which are reachable by an unauthenticated user. Additional endpoints in the AudioController might also be vulnerable. To exploit this, an attacker must guess a random GUID, `itemId`, making direct exploitation unlikely without an additional information leak. The `videoCodec` and `audioCodec` query parameters are vulnerable to argument injection, allowing an attacker to inject arguments into the FFmpeg command line. This could potentially enable overwriting an arbitrary file with malicious content. **Recommendations** For versions prior to 10.8.13, upgrade to version 10.8.13 or later to address the vulnerability. As a temporary workaround, consider restricting access to the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints until the upgrade is possible. Additionally, limiting the use of query parameters such as `videoCodec` and `audioCodec` can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions 10.8.0 through 10.8.10 **Description** The issue is related to a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. This vulnerability can be combined with a cross-site scripting vulnerability to result in file write and arbitrary code execution. An attacker can exploit this by creating a session as a low-privileged user with a crafted authorization header, uploading an executable that contains a malicious plugin, and triggering the XSS payload. The vulnerability allows an attacker to write arbitrary content to log files, which can be used to execute system commands and send back the results. **Recommendations** For versions 10.8.0 through 10.8.9, update to version 10.8.10, which has a patch for this issue. As a temporary workaround, consider restricting access to the `/ClientLog/Document` endpoint until a patch is available. Avoid using the `ClientLogController` until the issue is resolved. Restrict access to the `System/MediaEncoder/Path` endpoint to minimize the risk of exploitation. Consider disabling the executable upload feature via the `/ClientLog/Document` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** jellyfin-web versions 10.1.0 through 10.8.10 **Description** A stored cross-site scripting issue in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. This can result in remote code execution on the Jellyfin instance when combined with other vulnerabilities. An unprivileged user can chain several exploits, including a stored XSS vulnerability, to achieve directory traversal, file write, and potential remote code execution. The process involves creating a session with a crafted authorization header, uploading an executable, and triggering the XSS payload. The ability to write arbitrary content to log files was added to allow flexibility to client logging. A directory traversal was found inside the ClientLogController, specifically /ClientLog/Document, which can be used to write a file with attacker-controlled content to the executing user's autostart directory. **Recommendations** For versions 10.1.0 through 10.8.10, update to version 10.8.10 to resolve the issue. As a temporary workaround, consider disabling the `REST` endpoints until a patch is available. Restrict access to the `/ClientLog/Document` endpoint to minimize the risk of exploitation. Avoid using the `ClientLogController` until the issue is resolved.