CVE-2024-30931

Vulnerability

CVE-2024-30931 is a stored cross-site scripting (XSS) vulnerability in Emby Media Server version 4.8.3.0. The flaw resides in the custom notification creation feature, where any authenticated user can define webhook notifications. The FriendlyName parameter lacks proper validation, allowing injection of arbitrary HTML and JavaScript. This input is stored and later rendered unsanitized in the notifications component (notifications.html), enabling persistent script execution [1].

Exploitation

To exploit this, an attacker only needs a valid low-privileged account on the Emby server. No special network position is required as the attack is launched via standard authenticated HTTP requests. By crafting a malicious payload in the FriendlyName field during notification setup, the injected script will execute when an admin or other user views notifications. Due to other security configurations within Emby, the attacker can escalate privileges from a standard user to a full platform administrator [1].

Impact

Successful exploitation grants the attacker full administrative control over the Emby Media Server, including access to all media libraries, user management, and server settings. This undermines the intended access control model where invited users should only have limited permissions [1].

Mitigation

The Emby team promptly addressed the issue and released a patch. Users are strongly advised to update Emby Media Server to the latest version. The researcher praised the vendor’s responsive disclosure process and quick turnaround [1].