Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
jellyfin jellyfin vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2023-27161
Jellyfin up to v10.7.7 exists to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows malicious users to access network resources and sensitive information via a crafted POST request.
Jellyfin Jellyfin
8.1
CVSSv3
CVE-2023-30626
Jellyfin is a free-software media system. Versions starting with 10.8.0 and before 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30...
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2023-30627
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When com...
Jellyfin Jellyfin
6.5
CVSSv3
CVE-2021-21402
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are ...
Jellyfin Jellyfin
4 Github repositories
8.8
CVSSv3
CVE-2023-49096
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are prese...
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2023-23635
In Jellyfin 10.8.x up to and including 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an malicious user to steal access tokens from the localStorage of the victim.
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2023-23636
In Jellyfin 10.8.x up to and including 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an malicious user to steal access tokens from the localStorage of the victim.
Jellyfin Jellyfin
7.2
CVSSv3
CVE-2023-48702
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC p...
Jellyfin Jellyfin
8.8
CVSSv3
CVE-2022-35909
In Jellyfin prior to 10.8, the /users endpoint has incorrect access control for admin functionality.
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2022-35910
In Jellyfin prior to 10.8, stored XSS allows theft of an admin access token.
Jellyfin Jellyfin
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-22120
CVE-2024-35921
CVE-2024-35874
brute force
CVE-2024-36080
unprivileged
CVE-2024-35917
IDOR
CVE-2024-4947
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »