Vulnerabilites related to emby - emby
CVE-2021-25828 (GCVE-0-2021-25828)
Vulnerability from cvelistv5
Published
2023-06-28 00:00
Modified
2024-12-05 16:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Emby Server versions < 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:28.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/MediaBrowser/Emby/issues/3785"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-05T16:50:18.022150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-05T16:51:27.114Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Emby Server versions \u003c 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-28T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/MediaBrowser/Emby/issues/3785"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-25828",
"datePublished": "2023-06-28T00:00:00",
"dateReserved": "2021-01-22T00:00:00",
"dateUpdated": "2024-12-05T16:51:27.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-26948 (GCVE-0-2020-26948)
Vulnerability from cvelistv5
Published
2020-10-10 20:12
Modified
2024-08-04 16:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/btnz-k/emby_ssrf | x_refsource_MISC | |
| https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:03:23.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btnz-k/emby_ssrf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-10T20:12:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btnz-k/emby_ssrf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-26948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/btnz-k/emby_ssrf",
"refsource": "MISC",
"url": "https://github.com/btnz-k/emby_ssrf"
},
{
"name": "https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb",
"refsource": "MISC",
"url": "https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-26948",
"datePublished": "2020-10-10T20:12:31",
"dateReserved": "2020-10-10T00:00:00",
"dateUpdated": "2024-08-04T16:03:23.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36223 (GCVE-0-2022-36223)
Vulnerability from cvelistv5
Published
2022-12-16 00:00
Modified
2025-04-18 13:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:00:04.341Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://medium.com/%40cupc4k3/administrator-account-takeover-in-emby-media-server-616fc2a6704f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-36223",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T13:24:20.599133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T13:24:24.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://medium.com/stolabs/cve-2022-36223-administrator-account-takeover-in-emby-media-server-616fc2a6704f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://medium.com/%40cupc4k3/administrator-account-takeover-in-emby-media-server-616fc2a6704f"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-36223",
"datePublished": "2022-12-16T00:00:00.000Z",
"dateReserved": "2022-07-18T00:00:00.000Z",
"dateUpdated": "2025-04-18T13:24:24.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25827 (GCVE-0-2021-25827)
Vulnerability from cvelistv5
Published
2023-06-28 00:00
Modified
2025-02-13 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Emby Server < 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:28.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://emby.media/community/index.php?/topic/98191-emby-server-46-released/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/MediaBrowser/Emby/issues/3784"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-25827",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-03T16:50:24.601886Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-03T16:50:33.342Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Emby Server \u003c 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-28T19:31:05.242Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://emby.media/community/index.php?/topic/98191-emby-server-46-released/"
},
{
"url": "https://github.com/MediaBrowser/Emby/issues/3784"
},
{
"url": "https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-25827",
"datePublished": "2023-06-28T00:00:00.000Z",
"dateReserved": "2021-01-22T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:50.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-06-28 20:15
Modified
2024-11-21 05:55
Severity ?
Summary
Emby Server versions < 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/MediaBrowser/Emby/issues/3785 | Exploit, Issue Tracking, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/MediaBrowser/Emby/issues/3785 | Exploit, Issue Tracking, Patch |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:emby:emby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8428649E-160E-487E-A8F3-3D8F28AA0200",
"versionEndExcluding": "4.6.0.50",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Emby Server versions \u003c 4.6.0.50 is vulnerable to Cross Site Scripting (XSS) vulnerability via a crafted GET request to /web."
}
],
"id": "CVE-2021-25828",
"lastModified": "2024-11-21T05:55:29.173",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-28T20:15:09.453",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/MediaBrowser/Emby/issues/3785"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://github.com/MediaBrowser/Emby/issues/3785"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-16 14:15
Modified
2025-04-18 14:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:emby:emby:4.6.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A5594D8F-4EB6-4ECD-9280-EFD9BA711720",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Emby Server 4.6.7.0, the playlist name field is vulnerable to XSS stored where it is possible to steal the administrator access token and flip or steal the media server administrator account."
},
{
"lang": "es",
"value": "En Emby Server 4.6.7.0, el campo del nombre de la lista de reproducci\u00f3n es vulnerable al XSS almacenado donde es posible robar el token de acceso del administrador y voltear o robar la cuenta del administrador del servidor de medios."
}
],
"id": "CVE-2022-36223",
"lastModified": "2025-04-18T14:15:18.570",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-12-16T14:15:09.097",
"references": [
{
"source": "cve@mitre.org",
"url": "https://medium.com/%40cupc4k3/administrator-account-takeover-in-emby-media-server-616fc2a6704f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://medium.com/%40cupc4k3/administrator-account-takeover-in-emby-media-server-616fc2a6704f"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://medium.com/stolabs/cve-2022-36223-administrator-account-takeover-in-emby-media-server-616fc2a6704f"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-10 21:15
Modified
2024-11-21 05:20
Severity ?
Summary
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/btnz-k/emby_ssrf | Third Party Advisory | |
| cve@mitre.org | https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb | Broken Link, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btnz-k/emby_ssrf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb | Broken Link, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:emby:emby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A3F314ED-53B5-44BB-8C32-4FFE177161FA",
"versionEndExcluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter."
},
{
"lang": "es",
"value": "Emby Server versiones anteriores a 4.5.0, permite un ataque de tipo SSRF por medio del par\u00e1metro ImageURL del archivo Items/RemoteSearch/Image"
}
],
"id": "CVE-2020-26948",
"lastModified": "2024-11-21T05:20:33.687",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-10T21:15:12.017",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/btnz-k/emby_ssrf"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/btnz-k/emby_ssrf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-28 20:15
Modified
2024-11-21 05:55
Severity ?
Summary
Emby Server < 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://emby.media/community/index.php?/topic/98191-emby-server-46-released/ | Product | |
| cve@mitre.org | https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf | Not Applicable | |
| cve@mitre.org | https://github.com/MediaBrowser/Emby/issues/3784 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emby.media/community/index.php?/topic/98191-emby-server-46-released/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/MediaBrowser/Emby/issues/3784 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:emby:emby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8269B6B-081E-4BA9-BF1F-92730FFD72F5",
"versionEndExcluding": "4.7.12.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Emby Server \u003c 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address."
}
],
"id": "CVE-2021-25827",
"lastModified": "2024-11-21T05:55:29.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-28T20:15:09.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://emby.media/community/index.php?/topic/98191-emby-server-46-released/"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/MediaBrowser/Emby/issues/3784"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://emby.media/community/index.php?/topic/98191-emby-server-46-released/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/MediaBrowser/Emby/issues/3784"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}