Vulnerability Details CVE-2023-23636
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.4%
CVSS Severity
CVSS v3 Score 5.4
References
- https://github.com/jellyfin/jellyfin-web/issues/3788
- https://herolab.usd.de/security-advisories/
- https://herolab.usd.de/security-advisories/usd-2022-0030/
- https://github.com/jellyfin/jellyfin-web/issues/3788
- https://herolab.usd.de/security-advisories/
- https://herolab.usd.de/security-advisories/usd-2022-0030/
Products affected by CVE-2023-23636
-
cpe:2.3:a:jellyfin:jellyfin:10.8.0
-
cpe:2.3:a:jellyfin:jellyfin:10.8.1
-
cpe:2.3:a:jellyfin:jellyfin:10.8.2
-
cpe:2.3:a:jellyfin:jellyfin:10.8.3