CVE-2023-23636 — Jellyfin Web Cross-Site Scripting (XSS) via Playlist Name

Description

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

How to fix CVE-2023-23636

To remediate CVE-2023-23636, upgrade the affected package to a fixed version below.

npm/jellyfin-web—upgrade to 10.8.4 or later

Is CVE-2023-23636 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 10.8.0, < 10.8.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-23636
PATCHgithub.com/jellyfin/jellyfin-web
WEBgithub.com/jellyfin/jellyfin/releases/tag/v10.8.4
WEBgithub.com/jellyfin/jellyfin-web/issues/3788
WEB