Jellyfin
by Jellyfin
Source repositories
CVEs (23)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-23636 | 0.00 | — | 0.01 | Feb 3, 2023 | In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim. | |||
| CVE-2022-35909 | 0.00 | — | 0.01 | Aug 19, 2022 | In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. | |||
| CVE-2022-35910 | 0.00 | — | 0.01 | Aug 19, 2022 | In Jellyfin before 10.8, stored XSS allows theft of an admin access token. |
- CVE-2023-23636Feb 3, 2023risk 0.00cvss —epss 0.01
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
- CVE-2022-35909Aug 19, 2022risk 0.00cvss —epss 0.01
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality.
- CVE-2022-35910Aug 19, 2022risk 0.00cvss —epss 0.01
In Jellyfin before 10.8, stored XSS allows theft of an admin access token.
Page 2 of 2