Summary
This host is installed with Plex Media
Server and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote
attackers to disclose certain sensitive information and bypass certain security restrictions.
Impact Level: Application
Solution
Upgrade to Plex Media Server version
0.9.9.3 or later. For updates refer http://www.plex.tv
Insight
Multiple errors are due to,
- An error in '/system/proxy' which fails to validate pre-authentication user requests.
- Input appended to the URL after 'manage', 'web' and 'resources' is not properly sanitised before being used to read files.
Affected
Plex Media Server versions
0.9.9.2.374-aa23a69 and prior.
Detection
Get the installed version with the help
of detect NVT and check the version is vulnerable or not.
References
- http://osvdb.org/103839
- http://osvdb.org/103840
- http://osvdb.org/103841
- http://osvdb.org/103861
- http://secunia.com/advisories/57205
- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140228-1_Plex_Media_Server_Authentication_bypass_local_file_disclosure_v10.txt
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-9181, CVE-2014-9304 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- ASAS Server End User Self Service (EUSS) SQL Injection Vulnerability
- Atlassian JIRA Privilege Escalation and Multiple Cross Site Scripting Vulnerabilities
- AlienVault Open Source SIEM (OSSIM) 'timestamp' Parameter Directory Traversal Vulnerability
- Adobe ColdFusion Authentication Bypass Vulnerability
- ArticleFR CMS Multiple Vulnerabilities - Jan15