Vulnerability Description
In Jellyfin before 10.8, stored XSS allows theft of an admin access token.
CVSS Score
5.4
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jellyfin | Jellyfin | < 10.8 |
Related Weaknesses (CWE)
References
- https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/ExploitThird Party Advisory
- https://github.com/jellyfin/jellyfin/pull/7569/filesPatchThird Party Advisory
- https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-controExploitThird Party Advisory
- https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/ExploitThird Party Advisory
- https://github.com/jellyfin/jellyfin/pull/7569/filesPatchThird Party Advisory
- https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-controExploitThird Party Advisory
FAQ
What is CVE-2022-35910?
CVE-2022-35910 is a vulnerability with a CVSS score of 5.4 (MEDIUM). In Jellyfin before 10.8, stored XSS allows theft of an admin access token.
How severe is CVE-2022-35910?
CVE-2022-35910 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-35910?
Check the references section above for vendor advisories and patch information. Affected products include: Jellyfin Jellyfin.