CVE-2023-30626

Name of the Vulnerable Software and Affected Versions Jellyfin versions 10.8.0 through 10.8.10

Description The issue is related to a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. This vulnerability can be combined with a cross-site scripting vulnerability to result in file write and arbitrary code execution. An attacker can exploit this by creating a session as a low-privileged user with a crafted authorization header, uploading an executable that contains a malicious plugin, and triggering the XSS payload. The vulnerability allows an attacker to write arbitrary content to log files, which can be used to execute system commands and send back the results.

Recommendations For versions 10.8.0 through 10.8.9, update to version 10.8.10, which has a patch for this issue. As a temporary workaround, consider restricting access to the /ClientLog/Document endpoint until a patch is available. Avoid using the ClientLogController until the issue is resolved. Restrict access to the System/MediaEncoder/Path endpoint to minimize the risk of exploitation. Consider disabling the executable upload feature via the /ClientLog/Document endpoint until a patch is available.