CVE-2024-43801

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.9.10

Description The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI, this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin's WebUI.

Recommendations For versions prior to 10.9.10, upgrade to release version 10.9.10 to resolve the issue. As a temporary workaround, consider disabling the upload of SVG files for user profiles until the patch is applied. Restrict access to the user profile image upload feature to minimize the risk of exploitation. Avoid viewing user profile images outside of the Jellyfin Web UI to prevent potential interaction with the browser's LocalStorage.