Jellyfin Web Cross-Site Scripting (XSS) via Playlist Name
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
Advisories for Npm/Jellyfin-Web package
2023
Jellyfin Web Cross-Site Scripting (XSS) via Collection Name
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.