Gerhardbotha97

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.11.7 **Description** A flaw exists in the LiveTV M3U tuner endpoint 'POST /LiveTv/TunerHosts' where the tuner URL is not validated. This allows an authenticated user to perform local file reads via non-HTTP paths and Server-Side Request Forgery (SSRF), which is the ability to induce the server to make requests to an unintended location, via HTTP URLs. Because the `EnableLiveTvManagement` permission is enabled by default for new users, an attacker can add an M3U tuner pointing to a malicious server. By serving a crafted M3U with a channel pointing to the Jellyfin database, the attacker can exfiltrate the database to extract admin session tokens and escalate privileges to administrator. **Recommendations** Update to version 10.11.7. As a temporary workaround, disable Live TV Management privileges for all users.