Stored XSS Vulnerability in Jellyfin Affecting Admin Access
CVE-2022-35910

5.4MEDIUM

Key Information:

Vendor

Jellyfin

Status
Jellyfin
Vendor
CVE Published:
19 August 2022

What is CVE-2022-35910?

In versions of Jellyfin before 10.8, a stored Cross-Site Scripting (XSS) vulnerability exists that allows attackers to steal an administrator’s access token. By exploiting this vulnerability, an attacker could potentially execute malicious scripts in the context of an admin user, leading to unauthorized actions and data compromise.

References

https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZL...
x_refsource_MISC
https://github.com/jellyfin/jellyfin/pull/7569/files
x_refsource_MISC
https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.