Emby Server Remote Code Execution Vulnerability via XSS in Admin Dashboard

A remote code execution vulnerability has been identified in Emby Server versions prior to 4.8.1.0 and in Beta versions prior to 4.9.0.0-beta. The issue arises from a lack of input sanitization, allowing a malicious user to send an authentication request with a manipulated X-Emby-Client value. This unsanitized input is then added to the devices section of the admin dashboard. Exploitation involves injecting JavaScript that executes in the context of an administrator, potentially allowing access to all service endpoints.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the injected code running in the context of an administrator.

Reproduction

To reproduce this vulnerability, send an authentication request to the Emby server's user authentication endpoint. Include a manipulated X-Emby-Client header with a payload that exploits the cross-site scripting vulnerability by executing JavaScript, such as logging the document domain to the console. The request should also include a valid username and password. Once the payload is executed, the injected script can be used to perform actions on behalf of the administrator, such as downloading and executing a malicious executable from the internet.

Remediation

Users should update to Emby Server version 4.8.1.0 or Beta version 4.9.0.0-beta, where this vulnerability has been patched.