Fortinet Discovers Emby Media Server Authenticated Cross-Site-Scripting Vulnerability
Fortinet's FortiGuard Labs has discovered a Authenticated Cross-site Scripting vulnerability in Emby Media Server.
Emby Media Server is a software which automatically converts and streams your media on-the-fly to play on any device.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Feb 19, 2019
This solution have been fixed in the latest version of Emby Media Server. Affected customers should update their Emby Media Server to 4.1. and above
[18-02-2019 02:48 PM] Notified the administrator (emby forum - name of POC -> Luke) and submit the POC
[25-02-2019 01:09 PM] Enquired if there is a plan for making a CVE for this.
[28-02-2019 02:17 PM] Send an enquiry for response and acknowledgement
[28-02-2019 02:20 PM] Luke replies the PM and state that it will be address in the upcoming version 4.1.
[03-04-2019 04:32 PM] Luke sends a message stating that it has been resolved in the beta version 18.104.22.168 and will be in the upcoming version 4.1. for GA
[30-04-2019] Version 4.1. have been released
[09-05-2019] Verified that the bug have been fixed.
[13-05-2019 11:33 AM] Request for disclosure in the fortiguard web page
[13-05-2019 11:57 AM] Luke request for confirmation of vuln fix in the current version 4.1. (GA)
[13-05-2019 05:25 PM] Sent an acknowledgement to confirm that the vuln have been fixed
[14-05-2019 12:46 PM] Luke gave the approval for disclosure with the condition of having to state that it have been fixed in 4.1.
[15-05-2019 06:02 PM] Acknowledged the approval and condition and update the details in the Signal
This vulnerability was discover by Chua Wei Kiat of Fortinet's FortiGuard Labs.