Описание
Jellyfin Web Cross-Site Scripting (XSS) via Playlist Name
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-23636
- https://github.com/jellyfin/jellyfin-web/issues/3788
- https://github.com/jellyfin/jellyfin-web/pull/3789
- https://github.com/jellyfin/jellyfin/releases/tag/v10.8.4
- https://herolab.usd.de/security-advisories
- https://herolab.usd.de/security-advisories/usd-2022-0030
Пакеты
Наименование
jellyfin-web
npm
Затронутые версииВерсия исправления
>= 10.8.0, < 10.8.4
10.8.4
Связанные уязвимости
CVSS3: 5.4
nvd
около 3 лет назад
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
CVSS3: 5.4
debian
около 3 лет назад
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerabl ...