The following advisory describes three (3) vulnerabilities found in Emby Media Server.
Affected versions are: 3.1.5, 3.1.2, 3.1.1, 3.1.0 and 3.0.0.
Emby Media Server (formerly Media Browser) is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client server model. Two comparable media servers are Plex and Windows Media Center.
The vulnerabilities found in Emby Media Server are:
- Directory Traversal
- File Disclosure
- SQL Injection
An independent security researcher Gjoko Krstic from Zero Science Lab has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Emby has been notified in March 2017 about the vulnerability, shortly after they have released a new version that addresses this vulnerabilities. They however have not provided any version information or release notes that reflect this.