FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-11-23 17:01:17 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
98f78c7a-a08e-11ed-946e-002b67dfc673Plex Media Server -- security vulnerability

Plex Security Team reports:

We have recently been made aware of a security vulnerability in Plex Media Server versions prior to 1.25.0 that could allow a local Windows user to obtain administrator privileges without authorization. To be clear, this required the user to already have local, physical access to the computer (just with a different user account on Windows). There are no indications that this exploit could be used from a remote machine.

Plex Media Server versions 1.25.0.5282 and newer are not subject to this vulnerability, and feature additional hardening to prevent similar issues from occurring in the future. Users running older server versions are encouraged to update their Plex Media Server installations.


Discovery 2021-10-22
Entry 2023-01-30
plexmediaserver
plexmediaserver-plexpass
< 1.25.0

CVE-2021-42835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42835
337960ec-b5dc-11e8-ac58-a4badb2f4699Plex Media Server -- Information Disclosure Vulnerability

Chris reports:

The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:

  • Access arbitrary files from the filesystem with the same permission as the user account running Plex.
  • Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
  • Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Discovery 2018-08-01
Entry 2018-09-11
plexmediaserver
plexmediaserver-plexpass
< 1.13.5.5332

https://seclists.org/fulldisclosure/2018/Aug/1
CVE-2018-13415