← Advisories

Emby MediaServer 3.2.5 Reflected XSS Vulnerability

Medium

Advisory ID

ZSL-2017-5402

Release Date

30 April 2017

Vendor

Emby LLC - https://www.emby.media

Affected Version

3.2.5, 3.1.5, 3.1.2, 3.1.1, 3.1.0, 3.0.0

CVE

N/A

Tested On

Microsoft Windows 7 Professional SP1 (EN), Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50, Ubuntu Linux 14.04.5, MacOS Sierra 10.12.3, SQLite3

Summary

Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center.

Description

Emby suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the URL path filename when handling 'not found' errors. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept

emby_xss.txtTXT

Disclosure Timeline

22.12.2016Vulnerability discovered.

25.04.2017Vendor communicated via Beyond Security's SecuriTeam Secure Disclosure program.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://blogs.securiteam.com/index.php/archives/3098

[2]https://cxsecurity.com/issue/WLB-2017040202

[3]https://packetstormsecurity.com/files/142356/

Changelog

30.04.2017Initial release

02.05.2017Added reference [2] and [3]