CVE-2023-23635

Опубликовано: 03 фев. 2023

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

Ссылки

https://github.com/jellyfin/jellyfin-web/issues/3788
Issue Tracking
Third Party Advisory
https://herolab.usd.de/security-advisories/
Third Party Advisory
https://herolab.usd.de/security-advisories/usd-2022-0031/
Exploit
Third Party Advisory
https://github.com/jellyfin/jellyfin-web/issues/3788
Issue Tracking
Third Party Advisory
https://herolab.usd.de/security-advisories/
Third Party Advisory
https://herolab.usd.de/security-advisories/usd-2022-0031/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

Версия от 10.8.0 (включая) до 10.8.3 (включая)

EPSS

Процентиль: 67%

0.00538

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-23635

CVSS3: 5.4

debian

около 3 лет назад

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnera ...

GHSA-749c-pc87-4qcw

CVSS3: 5.4

github

около 3 лет назад

Jellyfin Web Cross-Site Scripting (XSS) via Collection Name

EPSS

Процентиль: 67%

0.00538

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79