CVE-2023-23636

Name of the Vulnerable Software and Affected Versions Jellyfin versions 10.8.x through 10.8.3

Description The name of a playlist in Jellyfin is vulnerable to stored XSS, allowing an attacker to steal access tokens from the localStorage of the victim.

Recommendations For Jellyfin versions 10.8.x through 10.8.3, consider restricting the ability to create or edit playlist names until a patch is available to prevent stored XSS attacks. As a temporary workaround, users should be cautious when accessing playlists from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.