Lucene search

PRIOn knowledge basePRION:CVE-2023-23635

HistoryFeb 03, 2023 - 1:15 a.m.

Design/Logic Flaw

2023-02-0301:15:00

PRIOn knowledge base

www.prio-n.com

jellyfin

collection

xss

vulnerability

access tokens

localstorage

nvd

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.9%

JSON

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

CPENameOperatorVersion
jellyfinge10.8.0
jellyfinle10.8.3

CPE	Name	Operator	Version
	jellyfin	ge	10.8.0
	jellyfin	le	10.8.3

References

github.com/jellyfin/jellyfin-web/issues/3788

herolab.usd.de/security-advisories/

herolab.usd.de/security-advisories/usd-2022-0031/