Hydragyrum

Name of the Vulnerable Software and Affected Versions: Jellyfin versions prior to 10.7.3 Description: The issue allows unauthenticated Server-Side Request Forgery (SSRF) attacks via the `imageUrl` parameter, potentially exposing internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. Recommendations: For versions prior to 10.7.3, update to version 10.7.3 to resolve the issue. As a temporary workaround, consider disabling external access to the API endpoints "/Items/*/RemoteImages/Download", "/Items/RemoteSearch/Image", and "/Images/Remote" via reverse proxy, or limit access to known-friendly IPs.