CVE-2022-35910 in Jellyfin
Summary
by MITRE • 08/19/2022
In Jellyfin before 10.8, stored XSS allows theft of an admin access token.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/24/2022
The vulnerability identified as CVE-2022-35910 represents a critical stored cross-site scripting flaw within the Jellyfin media server software prior to version 10.8. This vulnerability exists in the web interface where user input is not properly sanitized before being stored and subsequently rendered back to users. The flaw allows an attacker to inject malicious scripts that persist within the application's database, making it a stored XSS vulnerability rather than a reflected one. When an administrator or other user views the affected content, the malicious script executes in their browser context, potentially leading to unauthorized access to administrative functions.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within Jellyfin's web application layer. Specifically, when users submit data through various administrative interfaces, the system fails to properly sanitize special characters and script tags that could be used to execute malicious code. The vulnerability is particularly dangerous because it targets the administrative interface where access tokens are stored and managed, allowing an attacker to steal these tokens and assume administrative privileges. This type of flaw aligns with CWE-79 which categorizes cross-site scripting vulnerabilities as a result of insufficient input validation and output encoding.
The operational impact of CVE-2022-35910 extends beyond simple data theft, as successful exploitation enables full administrative control over affected Jellyfin installations. Attackers can leverage stolen access tokens to modify user permissions, access sensitive media libraries, alter system configurations, and potentially escalate their privileges further within the network. The persistence of stored XSS makes this vulnerability particularly dangerous because the malicious script remains active even after the initial injection, continuously compromising any user who accesses the affected content. This vulnerability directly maps to ATT&CK technique T1566.001 which covers credential access through social engineering and manipulation of web applications.
Mitigation strategies for this vulnerability require immediate patching of Jellyfin installations to version 10.8 or later where the XSS flaws have been addressed through proper input sanitization and output encoding mechanisms. Organizations should also implement additional security measures including regular security audits of web applications, monitoring for suspicious user activities, and implementing web application firewalls to detect and block malicious script injections. Network segmentation and principle of least privilege should be enforced to limit the potential damage if exploitation occurs. Security teams should conduct thorough vulnerability assessments of all web-based applications and ensure proper input validation is implemented across all user-facing interfaces. The fix implemented in Jellyfin 10.8 demonstrates the importance of proper content sanitization and the application of security best practices to prevent stored XSS vulnerabilities from compromising administrative systems.