8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
57.3%
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. This lack of access control can be leveraged to performe a cross site scripting attack.
CPE | Name | Operator | Version |
---|---|---|---|
jellyfin.common | lt | 10.8.0 |
docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit
github.com/advisories/GHSA-qwp3-5fw3-5wgv
github.com/jellyfin/jellyfin/pull/7569/files
medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058
nvd.nist.gov/vuln/detail/CVE-2022-35909