Lte

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.11.7 **Description** A flaw exists in the subtitle upload endpoint '/Videos/{itemId}/Subtitles' where the `Format` field is not validated. This allows path traversal via the file extension, enabling arbitrary file write. This can be chained to achieve arbitrary file read via .strm files, database extraction, admin privilege escalation, and remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user explicitly granted the Upload Subtitles permission. **Recommendations** Update to version 10.11.7. Restrict the Upload Subtitles permission for non-administrator users to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.11.7 **Description** A flaw exists in the LiveTV M3U tuner endpoint 'POST /LiveTv/TunerHosts' where the tuner URL is not validated. This allows an authenticated user to perform local file reads via non-HTTP paths and Server-Side Request Forgery (SSRF), which is the ability to induce the server to make requests to an unintended location, via HTTP URLs. Because the `EnableLiveTvManagement` permission is enabled by default for new users, an attacker can add an M3U tuner pointing to a malicious server. By serving a crafted M3U with a channel pointing to the Jellyfin database, the attacker can exfiltrate the database to extract admin session tokens and escalate privileges to administrator. **Recommendations** Update to version 10.11.7. As a temporary workaround, disable Live TV Management privileges for all users.