Headline

CVE-2023-23636: Security Advisory usd-2022-0030 | usd HeroLab

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

1 year ago

CVE

Open in Source

#xss #vulnerability #web #js #java #chrome

usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting

Advisory ID: usd-2022-0030
Product: Jellyfin
Affected Version: 10.8.1
Vulnerability Type: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79)
Security Risk: Critical
Vendor URL: https://jellyfin.org
Vendor acknowledged vulnerability: Yes
Vendor Status: fixed
CVE number: CVE-2023-23636

Description

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.
The injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the localStorage an attacker is able to take over accounts by reading their values.

Proof of Concept

The following screenshot shows the executed JavaScript payload in the victim’s browser.

The following request creates a payload with injected name.

POST /Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5 HTTP/1.1
Host: localhost:8096
Content-Length: 0
sec-ch-ua: “Chromium";v="97", " Not;A Brand";v="99”
accept: application/json
Content-Type: application/json
[…]

Fix

It is recommended to treat all input on the website as potentially dangerous.
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
The majority of programming languages support standard procedures for encoding meta characters.

References