In Jellyfin 10.8.x up to and including 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an malicious user to steal access tokens from the localStorage of the victim.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
jellyfin jellyfin |