The following advisory describes a five (5) vulnerabilities found in Serviio Media Server. Affected version: 18.104.22.168 PRO, 1.7.1, 1.7.0, 1.6.1.
Serviio is a free media server. It allows you to stream your media files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, games console or mobile phone) on your connected home network.
Serviio works with many devices from your connected home (TV, Playstation 3, XBox 360, smart phones, tablets, etc.). It supports profiles for particular devices so that it can be tuned to maximise the device’s potential and/or minimize lack of media format playback support (via transcoding).
Serviio is based on Java technology and therefore runs on most platforms, including Windows, Mac and Linux (incl. embedded systems, e.g. NAS).
The vulnerabilities found in Serviio Media Server are:
- Remote Code Execution
- Local Privilege Escalation
- Unauthenticated Password Modification
- Information Disclosure
- DOM-Based Cross-Site Scripting (XSS)
An independent security researcher Gjoko Krstic from Zero Science Lab has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
We have tried on numerous occasions over the past two months to contact the vendor, all emails sent to them went unanswered.