This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Jellyfin < 10.11.7 has a critical flaw in the subtitle upload endpoint. The `Format` field is not validated. <br>π **Consequences**: This allows **Path Traversal** and **Arbitrary File Write**.β¦
π‘οΈ **Root Cause**: **CWE-20** (Improper Input Validation). <br>π **Flaw**: The application fails to sanitize or verify the `Format` parameter during subtitle uploads.β¦
π» **Attacker Actions**: Hackers can write arbitrary files to the server filesystem. <br>π **Privileges**: This leads to **Remote Code Execution (RCE)**. <br>π **Impact**: High.β¦
π **Threshold**: **Medium**. <br>π **Auth Required**: **Yes**. The vector indicates `PR:L` (Privileges Required: Low). You need a valid user account to upload subtitles. <br>π **Network**: Remote (AV:N).β¦
π£ **Public Exploit**: **No**. <br>π **Status**: The `pocs` field is empty. No public Proof-of-Concept (PoC) or wild exploitation code is currently available. However, the vulnerability is well-understood. π΅οΈββοΈ
Q7How to self-check? (Features/Scanning)
π **Self-Check**: <br>1. Check your Jellyfin version in the Admin Dashboard. <br>2. If version < **10.11.7**, you are vulnerable. <br>3.β¦
π¨ **Urgency**: **HIGH**. <br>π₯ **Priority**: **Immediate Action Required**. <br>π **Reason**: CVSS is Critical (10.0 equivalent impact). RCE is possible with low privileges. Patch immediately to prevent server takeover.β¦