Fortinet Discovers Emby Media Server Authenticated Cross-Site-Scripting Vulnerability
Summary
Fortinet's FortiGuard Labs has discovered a Authenticated Cross-site Scripting vulnerability in Emby Media Server.
Emby Media Server is a software which automatically converts and streams your media on-the-fly to play on any device.
Emby Media Server is susceptible to an authenticated cross site scripting vulnerability. The issue occurs due to the lack of input sanitization and validation in the custom device name field. The vulnerability can be exploited by injecting a html code which make use of an event handler to execute a Javascript.
Solutions
FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:Emby.Media.Server.DevicesOptions.CustomName.XSS
Released Feb 19, 2019
This solution have been fixed in the latest version of Emby Media Server. Affected customers should update their Emby Media Server to 4.1. and above
Timeline
[18-02-2019 02:48 PM] Notified the administrator (emby forum - name of POC -> Luke) and submit the POC
[25-02-2019 01:09 PM] Enquired if there is a plan for making a CVE for this.
[28-02-2019 02:17 PM] Send an enquiry for response and acknowledgementÂ
[28-02-2019 02:20 PM] Luke replies the PM and state that it will be address in the upcoming version 4.1.
[03-04-2019 04:32 PM] Luke sends a message stating that it has been resolved in the beta version 4.1.0.19 and will be in the upcoming version 4.1. for GAÂ
[30-04-2019] Version 4.1. have been releasedÂ
[09-05-2019] Verified that the bug have been fixed.
[13-05-2019 11:33 AM] Request for disclosure in the fortiguard web page
[13-05-2019 11:57 AM] Luke request for confirmation of vuln fix in the current version 4.1. (GA)
[13-05-2019 05:25 PM] Sent an acknowledgement to confirm that the vuln have been fixed
[14-05-2019 12:46 PM] Luke gave the approval for disclosure with the condition of having to state that it have been fixed in 4.1.
[15-05-2019 06:02 PM] Acknowledged the approval and condition and update the details in the Signal