Zero-Day Advisory

Fortinet Discovers Emby Media Server Authenticated Cross-Site-Scripting Vulnerability

Summary

Fortinet's FortiGuard Labs has discovered a Authenticated Cross-site Scripting vulnerability in Emby Media Server.

Emby Media Server is a software which automatically converts and streams your media on-the-fly to play on any device.

Emby Media Server is susceptible to an authenticated cross site scripting vulnerability. The issue occurs due to the lack of input sanitization and validation in the custom device name field. The vulnerability can be exploited by injecting a html code which make use of an event handler to execute a Javascript.

Solutions

FortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:

Emby.Media.Server.DevicesOptions.CustomName.XSS
Released Feb 19, 2019

This solution have been fixed in the latest version of Emby Media Server. Affected customers should update their Emby Media Server to 4.1. and above

Timeline

[18-02-2019 02:48 PM] Notified the administrator (emby forum - name of POC -> Luke) and submit the POC

[25-02-2019 01:09 PM] Enquired if there is a plan for making a CVE for this.

[28-02-2019 02:17 PM] Send an enquiry for response and acknowledgement 

[28-02-2019 02:20 PM] Luke replies the PM and state that it will be address in the upcoming version 4.1.

[03-04-2019 04:32 PM] Luke sends a message stating that it has been resolved in the beta version 4.1.0.19 and will be in the upcoming version 4.1. for GA 

[30-04-2019] Version 4.1. have been released 

[09-05-2019] Verified that the bug have been fixed.

[13-05-2019 11:33 AM] Request for disclosure in the fortiguard web page

[13-05-2019 11:57 AM] Luke request for confirmation of vuln fix in the current version 4.1. (GA)

[13-05-2019 05:25 PM] Sent an acknowledgement to confirm that the vuln have been fixed

[14-05-2019 12:46 PM] Luke gave the approval for disclosure with the condition of having to state that it have been fixed in 4.1.

[15-05-2019 06:02 PM] Acknowledged the approval and condition and update the details in the Signal

[16-05-2019 12:25 PM] Update the timeline

Acknowledgement

This vulnerability was discover by Chua Wei Kiat of Fortinet's FortiGuard Labs.

IPS Subscription

Fortinet customers who subscribe to Fortinet's intrusion prevention (IPS) service should be protected against this vulnerability with the appropriate configuration parameters in place. Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by FortiGuard Labs, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.