CVE-2023-30627— jellyfin-web has a stored cross-site scripting vulnerability in devices.js
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-30627
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
jellyfin-web has a stored cross-site scripting vulnerability in devices.js
Source: NVD (National Vulnerability Database)
Vulnerability Description
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Jellyfin 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Jellyfin是一个免费软件媒体系统。可让您控制媒体的管理和流式传输。它是专有Emby和Plex的替代产品,可以通过多个应用程序将专用服务器中的媒体提供给最终用户设备。 Jellyfin存在跨站脚本漏洞,该漏洞源于存在存储型跨站脚本(XSS)漏洞。攻击者可利用该漏洞以管理员权限对REST端点任意调用。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| jellyfin | jellyfin-web | >= 10.1.0, < 10.8.10 | - |
II. Public POCs for CVE-2023-30627
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-30627
请登录查看更多情报信息。
- https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-30627
IV. Related Vulnerabilities
Same vendor: jellyfin
- CVE-2026-35034
Jellyfin: Potential Application DoS from excessively large S - CVE-2026-35033
Jellyfin: Potential SSRF + Arbitrary file read via stream ar - CVE-2026-35032
Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3 - CVE-2026-35031
Jellyfin: Potential RCE via subtitle upload path traversal + - CVE-2026-31852
Jellyfin Possible Organization/Secret Compromise from danger
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2023-30627
No comments yet