CVE-2023-30627 CRITICAL

CVE-2023-30627: jellyfin-web has a stored cross-site scripting vulnerability in devices.js

Vendor Jellyfin

Product jellyfin-web

Weakness CWE-79 · XSS

Published April 24, 2023

Last update February 12, 2025

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds.

Key dates

02Disclosure timeline

April 24, 2023 CVE published

February 12, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-30627 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2023-30627: jellyfin-web has a stored cross-site scripting vulnerability in devices.js

01Description

02Disclosure timeline

03References

04Related CVE