VULHUB ™

### Summary Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. ### Description Emby suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the URL path filename when handling 'not found' errors. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. ### Vendor Emby LLC - https://www.emby.media ### Affected Version * 3.2.5 * 3.1.5 * 3.1.2 * 3.1.1 * 3.1.0 * 3.0.0 ### Tested On * Microsoft Windows 7 Professional SP1 (EN) * Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 * Ubuntu Linux 14.04.5 * MacOS Sierra 10.12.3 * SQLite3 ### PoC ``` http://TARGET/web/"><script>alert(251)</script> ```

### Summary Emby (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. ### Description Emby suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the URL path filename when handling 'not found' errors. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. ### Vendor Emby LLC - https://www.emby.media ### Affected Version * 3.2.5 * 3.1.5 * 3.1.2 * 3.1.1 * 3.1.0 * 3.0.0 ### Tested On * Microsoft Windows 7 Professional SP1 (EN) * Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 * Ubuntu Linux 14.04.5 * MacOS Sierra 10.12.3 * SQLite3 ### PoC ``` http://TARGET/web/"><script>alert(251)</script> ```