The author shares their experience of discovering two vulnerabilities, CVE-2023-30626 and CVE-2023-30627, in the open-source Jellyfin media server. They explain their approach and methodology of exploring the REST API in the server, and how they exploited a file write vulnerability in the devices section’s admin dashboard to perform a stored Cross-Site Scripting attack. They ultimately show how they managed to execute code on the server by creating a dropper plugin, which replaced the media encoder binary with their own malicious code. The author highlights the depth of the codebase and the complexity of exploiting it, with impressive results.
https://gebir.ge/blog/peanut-butter-jellyfin-time/