Jellyfin

Jellyfin

23 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2025-32012

  • EPSS 0.63%
  • Veröffentlicht 15.04.2025 20:08:52
  • Zuletzt bearbeitet 06.10.2025 16:49:44

Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also aut...

5.4

CVE-2024-43801

  • EPSS 0.35%
  • Veröffentlicht 02.09.2024 18:15:36
  • Zuletzt bearbeitet 21.11.2024 09:35:53

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the J...

7.2

CVE-2023-48702

Exploit
  • EPSS 1.2%
  • Veröffentlicht 13.12.2023 21:15:07
  • Zuletzt bearbeitet 21.11.2024 08:32:17

Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a ne...

8.8

CVE-2023-49096

Exploit
  • EPSS 1.25%
  • Veröffentlicht 06.12.2023 20:15:07
  • Zuletzt bearbeitet 21.11.2024 08:32:48

Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints whi...

5.4

CVE-2023-30627

Exploit
  • EPSS 1.28%
  • Veröffentlicht 24.04.2023 21:15:09
  • Zuletzt bearbeitet 21.11.2024 08:00:32

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints w...

8.1

CVE-2023-30626

Exploit
  • EPSS 1.97%
  • Veröffentlicht 24.04.2023 21:15:09
  • Zuletzt bearbeitet 21.11.2024 08:00:32

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scri...

7.5

CVE-2023-27161

Exploit
  • EPSS 0.98%
  • Veröffentlicht 10.03.2023 16:15:11
  • Zuletzt bearbeitet 28.02.2025 22:15:38

Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.

5.4

CVE-2023-23636

Exploit
  • EPSS 0.65%
  • Veröffentlicht 03.02.2023 01:15:14
  • Zuletzt bearbeitet 26.03.2025 19:15:23

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

5.4

CVE-2023-23635

Exploit
  • EPSS 0.56%
  • Veröffentlicht 03.02.2023 01:15:14
  • Zuletzt bearbeitet 26.03.2025 19:15:22

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

5.4

CVE-2022-35910

Exploit
  • EPSS 0.67%
  • Veröffentlicht 19.08.2022 13:15:08
  • Zuletzt bearbeitet 21.11.2024 07:11:56

In Jellyfin before 10.8, stored XSS allows theft of an admin access token.