CVE-2023-30627

Name of the Vulnerable Software and Affected Versions jellyfin-web versions 10.1.0 through 10.8.10

Description A stored cross-site scripting issue in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. This can result in remote code execution on the Jellyfin instance when combined with other vulnerabilities. An unprivileged user can chain several exploits, including a stored XSS vulnerability, to achieve directory traversal, file write, and potential remote code execution. The process involves creating a session with a crafted authorization header, uploading an executable, and triggering the XSS payload. The ability to write arbitrary content to log files was added to allow flexibility to client logging. A directory traversal was found inside the ClientLogController, specifically /ClientLog/Document, which can be used to write a file with attacker-controlled content to the executing user's autostart directory.

Recommendations For versions 10.1.0 through 10.8.10, update to version 10.8.10 to resolve the issue. As a temporary workaround, consider disabling the REST endpoints until a patch is available. Restrict access to the /ClientLog/Document endpoint to minimize the risk of exploitation. Avoid using the ClientLogController until the issue is resolved.