BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Plex Media Server Multiple Vulnerabilities

Disclosed February 6, 2014    Zeroday : 226 days

Vulnerability Description:

Plex Media Server contains several vulnerabilities which may allow for remote code execution, information disclosure, and cross-site request forgery.

Vendors:

Plex

Vulnerable Software/Devices:

Plex Media Server 0.9.9.10 and possibly other versions

Vulnerability Severity:

High

Exploit Availability:

No Exploit Available

Exploit Impact:

Remote Code Execution
This is a remote code execution vulnerability, specifically via man-in-the-middle attack. Plex gets "App" code via plaintext protocols, such as HTTP, which may allow an attacker to perform man-in-the-middle attacks to replace code with a malicious payload, which Plex will then execute. This may allow a remote attacker on the same network as the target to execute arbitrary code within the context of Plex.

Cross-site Request Forgery
Plex does not validate HTTP requests, which may be exploited by an attacker via a specially crafted webpage, when targeting an already logged-in administrative user. 

Information Disclosure
Python stack traces are included in some requests, possibly allowing an attacker to siphon information about the target operating system and file locations. This information may be leveraged as part of a larger attack.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 33847 - Plex Media Server 0.9.9.7.429 and Prior (Zero-Day)

Mitigation:

No mitigations are currently available.

Links:

CVE(s):

None