PT-2023-19095 · Jellyfin · Jellyfin

Christian Pöschl

Published

2023-02-03

Updated

2025-03-26

CVE-2023-23635

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jellyfin versions 10.8.x through 10.8.3

Description The issue concerns stored XSS in the name of a collection. This allows an attacker to steal access tokens from the localStorage of the victim.

Recommendations For Jellyfin versions 10.8.x through 10.8.3, consider restricting the ability to edit collection names to prevent potential exploitation until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-23635

GHSA-749C-PC87-4QCW

Affected Products

Jellyfin

PT-2023-19095 · Jellyfin · Jellyfin

CVE-2023-23635

Weakness Enumeration

Related Identifiers

Affected Products

References · 11