CVE-2023-23636
MEDIUMJellyfin 10.8.0-10.8.3 - Stored Cross-Site Scripting via Playlist Name
Title source: llmDescription
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
References (3)
Core 3
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/jellyfin/jellyfin-web/issues/3788
Third Party Advisory
https://herolab.usd.de/security-advisories/
Exploit, Third Party Advisory
https://herolab.usd.de/security-advisories/usd-2022-0030/
Scores
CVSS v3
5.4
EPSS
0.0053
EPSS Percentile
67.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (2)
jellyfin/jellyfin
10.8.0 - 10.8.3
npm/jellyfin-web
10.8.0 - 10.8.4npm
Published
Feb 03, 2023
Tracked Since
Feb 18, 2026