{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T01:09:57.691","vulnerabilities":[{"cve":{"id":"CVE-2023-48702","sourceIdentifier":"security-advisories@github.com","published":"2023-12-13T21:15:07.847","lastModified":"2024-11-21T08:32:17.407","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13."},{"lang":"es","value":"Jellyfin es un sistema para gestionar y transmitir medios. Antes de la versión 10.8.13, el endpoint `/System/MediaEncoder/Path` ejecuta un archivo arbitrario usando `ProcessStartInfo` a través de la función `ValidateVersion`. Un administrador malintencionado puede configurar un recurso compartido de red y proporcionar una ruta UNC a `/System/MediaEncoder/Path` que apunta a un ejecutable en el recurso compartido de red, lo que hace que el servidor Jellyfin ejecute el ejecutable en el contexto local. El endpoint se eliminó en la versión 10.8.13."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-77"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*","versionEndExcluding":"10.8.13","matchCriteriaId":"93D6F598-55D9-4041-BED8-4448226B5EFF"}]}]}],"references":[{"url":"https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Vendor Advisory"]},{"url":"https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}