CVE-2018-13415

Name of the Vulnerable Software and Affected Versions Plex Media Server version 1.13.2.5154

Description The XML parsing engine for SSDP/UPnP functionality in the affected software is susceptible to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running the software. Additionally, attackers can initiate SMB connections to capture a NetNTLM challenge/response, potentially leading to cleartext password cracking, or relay a NetNTLM challenge/response to achieve Remote Command Execution in Windows domains.

Recommendations For Plex Media Server version 1.13.2.5154, consider disabling the SSDP/UPnP functionality as a temporary workaround until a patch is available. Restrict access to the XML parsing engine to minimize the risk of exploitation. Avoid using the affected XML parsing engine for SSDP/UPnP functionality until the issue is resolved.