CVE-2022-36223

medium

Description

In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account.

References

https://medium.com/stolabs/cve-2022-36223-administrator-account-takeover-in-emby-media-server-616fc2a6704f

https://medium.com/%40cupc4k3/administrator-account-takeover-in-emby-media-server-616fc2a6704f

Details

Source: Mitre, NVD

Published: 2022-12-16

Updated: 2025-04-18

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N