Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Item cards allow XSS via aria label #3788

Closed
thornbill opened this issue Aug 2, 2022 · 0 comments
Closed

Item cards allow XSS via aria label #3788

thornbill opened this issue Aug 2, 2022 · 0 comments
Labels
bug Something isn't working regression We broke something security This PR or issue mainly concerns security

Comments

@thornbill
Copy link
Member

thornbill commented Aug 2, 2022

Describe The Bug
The aria labels added to cards for accessibility in 10.8 do not properly strip html from item names.

Steps To Reproduce

  1. Edit an item's name property to include a common method of XSS injection (e.g. "><img src=/X onerror=alert("xss")>).
  2. Navigate to any page with that item's card visible (home screen, library screen, item details screen, etc.).
  3. See an alert box is opened with the text "xss".

Expected Behavior
Any html should be escaped in the item name before using it as the label.

Logs
N/A

Screenshots
N/A

System (please complete the following information):

  • Platform: All
  • Browser: All
  • Jellyfin Version: 10.8.0-10.8.3

Additional Context
This security vulnerability was reported to Jellyfin by Christian Pöschl of usd AG following Jellyfin's security policy. The issue was reported as Advisory IDs usd-2022-0030 and usd-2022-0031.

@thornbill thornbill added bug Something isn't working regression We broke something security This PR or issue mainly concerns security labels Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working regression We broke something security This PR or issue mainly concerns security
Projects
None yet
Development

No branches or pull requests

1 participant