Thegebirge

**Name of the Vulnerable Software and Affected Versions** Kavita versions prior to 0.8.1 **Description** The issue arises when an ebook containing malicious scripts is opened, leading to code execution within the browsing context. This occurs because Kavita does not sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. **Recommendations** For versions prior to 0.8.1, update to version 0.8.1 to resolve the issue. As a temporary workaround, consider avoiding the use of ebooks from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Audiobookshelf versions prior to 2.10.0 **Description** Audiobookshelf is a self-hosted audiobook and podcast server. Opening an ebook with malicious scripts inside can lead to code execution inside the browsing context. If a user with high privileges, such as upload or library creation capabilities, is attacked, it can result in remote code execution (RCE) in the worst case. This issue is not limited to a specific operating system, as an arbitrary file write is powerful enough to potentially lead to RCE on various platforms, including Linux. **Recommendations** For versions prior to 2.10.0, update to version 2.10.0 to resolve the issue. As a temporary workaround, consider restricting user privileges, especially those related to upload and library creation, to minimize the risk of exploitation. Additionally, avoid opening ebooks from untrusted sources to reduce the risk of code execution.

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.8.13 **Description** The issue concerns an argument injection in the VideosController, specifically the "/Videos/<itemId>/stream" and "/Videos/<itemId>/stream.<container>" endpoints, which are reachable by an unauthenticated user. Additional endpoints in the AudioController might also be vulnerable. To exploit this, an attacker must guess a random GUID, `itemId`, making direct exploitation unlikely without an additional information leak. The `videoCodec` and `audioCodec` query parameters are vulnerable to argument injection, allowing an attacker to inject arguments into the FFmpeg command line. This could potentially enable overwriting an arbitrary file with malicious content. **Recommendations** For versions prior to 10.8.13, upgrade to version 10.8.13 or later to address the vulnerability. As a temporary workaround, consider restricting access to the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints until the upgrade is possible. Additionally, limiting the use of query parameters such as `videoCodec` and `audioCodec` can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions 10.8.0 through 10.8.10 **Description** The issue is related to a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. This vulnerability can be combined with a cross-site scripting vulnerability to result in file write and arbitrary code execution. An attacker can exploit this by creating a session as a low-privileged user with a crafted authorization header, uploading an executable that contains a malicious plugin, and triggering the XSS payload. The vulnerability allows an attacker to write arbitrary content to log files, which can be used to execute system commands and send back the results. **Recommendations** For versions 10.8.0 through 10.8.9, update to version 10.8.10, which has a patch for this issue. As a temporary workaround, consider restricting access to the `/ClientLog/Document` endpoint until a patch is available. Avoid using the `ClientLogController` until the issue is resolved. Restrict access to the `System/MediaEncoder/Path` endpoint to minimize the risk of exploitation. Consider disabling the executable upload feature via the `/ClientLog/Document` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** jellyfin-web versions 10.1.0 through 10.8.10 **Description** A stored cross-site scripting issue in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. This can result in remote code execution on the Jellyfin instance when combined with other vulnerabilities. An unprivileged user can chain several exploits, including a stored XSS vulnerability, to achieve directory traversal, file write, and potential remote code execution. The process involves creating a session with a crafted authorization header, uploading an executable, and triggering the XSS payload. The ability to write arbitrary content to log files was added to allow flexibility to client logging. A directory traversal was found inside the ClientLogController, specifically /ClientLog/Document, which can be used to write a file with attacker-controlled content to the executing user's autostart directory. **Recommendations** For versions 10.1.0 through 10.8.10, update to version 10.8.10 to resolve the issue. As a temporary workaround, consider disabling the `REST` endpoints until a patch is available. Restrict access to the `/ClientLog/Document` endpoint to minimize the risk of exploitation. Avoid using the `ClientLogController` until the issue is resolved.