Home > Vulnerability Database > CVE-2023-30626

Mend.io Vulnerability Database

CVE-2023-30626

Date: April 24, 2023

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the "ClientLogController", specifically "/ClientLog/Document". When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

Language: C#

Severity Score

8.8

Related Resources (9)

Url: https://github.com/jellyfin/jellyfin/pull/5918

Url: https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7

Url: https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10

Url: https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44

Url: https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m

Url: https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq

Url: https://github.com/jellyfin/jellyfin

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-30626

Url: https://www.mend.io/vulnerability-database/CVE-2023-30626

Severity Score

8.8

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-30626

Date: April 24, 2023

Language: C#

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?