CVE-2023-23636

Опубликовано: 03 фев. 2023

Источник: nvd

CVSS3: 5.4

EPSS Низкий

Описание

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

Ссылки

https://github.com/jellyfin/jellyfin-web/issues/3788
Exploit
Issue Tracking
Patch
Third Party Advisory
https://herolab.usd.de/security-advisories/
Third Party Advisory
https://herolab.usd.de/security-advisories/usd-2022-0030/
Exploit
Third Party Advisory
https://github.com/jellyfin/jellyfin-web/issues/3788
Exploit
Issue Tracking
Patch
Third Party Advisory
https://herolab.usd.de/security-advisories/
Third Party Advisory
https://herolab.usd.de/security-advisories/usd-2022-0030/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

Версия от 10.8.0 (включая) до 10.8.3 (включая)

EPSS

Процентиль: 67%

0.00532

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

CVE-2023-23636

CVSS3: 5.4

debian

около 3 лет назад

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerabl ...

GHSA-2h5r-cqfc-45v6

CVSS3: 5.4

github

около 3 лет назад

Jellyfin Web Cross-Site Scripting (XSS) via Playlist Name

EPSS

Процентиль: 67%

0.00532

Низкий

5.4 Medium

CVSS3

Дефекты

CWE-79