usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting

Advisory ID: usd-2022-0030
Product: Jellyfin
Affected Version: 10.8.1
Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Security Risk: CRITICAL
Vendor URL: https://jellyfin.org
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2023-23636
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2023-23636

Description

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.
The injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the localStorage an attacker is able to take over accounts by reading their values.

Proof of Concept

The following screenshot shows the executed JavaScript payload in the victim's browser.

The following request creates a payload with injected name.

POST /Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5 HTTP/1.1
Host: localhost:8096
Content-Length: 0
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
accept: application/json
Content-Type: application/json
[...]

Fix

It is recommended to treat all input on the website as potentially dangerous.
Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
The majority of programming languages support standard procedures for encoding meta characters.

References

Timeline

  • 2022-07-18: First contact request via security@jellyfin.org
  • 2022-08-02: Vulnerability details submitted
  • 2022-08-16: Fixed by Vendor
  • 2023-01-16: Requested CVE assigned
  • 2023-01-19: The advisory is published

Credits

This security vulnerability was found by Christian Pöschl of usd AG.