CVE-2023-33193

Name of the Vulnerable Software and Affected Versions Emby Server versions prior to 4.7.12 Emby Server Beta versions prior to 4.8.31

Description This issue may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination, allowing logging in without a password or viewing a list of user accounts that may have no password configured. Impacted are all Emby Server systems that are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users.

Recommendations For Emby Server versions prior to 4.7.12, update to version 4.7.12 or later to resolve the issue. For Emby Server Beta versions prior to 4.8.31, update to version 4.8.31 or later to resolve the issue. As a temporary workaround, consider tightening the account login configuration for administrative users to minimize the risk of exploitation. Restrict access to the Emby Server system to only necessary users and networks.