High severityNVD Advisory· Published Apr 24, 2023· Updated Feb 12, 2025
Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution
CVE-2023-30626
Description
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Jellyfin.ControllerNuGet | >= 10.8.0, < 10.8.10 | 10.8.10 |
Affected products
2Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-9p5f-5x8v-x65mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30626ghsaADVISORY
- github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pqghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.csghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7ghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/pull/5918ghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/releases/tag/v10.8.10ghsax_refsource_MISCWEB
- github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65mghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.