Headline
CVE-2021-25827: Incorrect Access Control - Don't require a password on the local network (CVE-2021-25827) · Issue #3784 · MediaBrowser/Emby
Emby Server < 4.7.12.0 is vulnerable to a login bypass attack by setting the X-Forwarded-For header to a local IP-address.
This shows neither your name, nor a description of the vulnerability…?
What do you mean? A CVE never shows the name of the researcher (unfortunately). And it shows the description of the vulnerability. Have you refreshed the cache of your browser?
Here is the whole request response e-mail from MITRE in 2023 about what I requested in 2021:
This email contains information regarding your CVE ID request reports. Each CVE ID request summary is followed by directions or comments for that request.
CVE's that are ** RESERVED ** will remain in a pending state until we are provided with at least one public reference that follows the CVE Entry Reference Requirement rules in section 8.3 (https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8-3_cve_record_reference_requirements).
For the reports that are given a CVE ID, please be sure to update their respective references to include their assigned CVE IDs.
When the candidates are publicized, please send us the link to the advisory using[ https://cveform.mitre.org](https://cveform.mitre.org/) with "Notify CVE about a publication" as the request type.
---------------------------------------------------------------
> [Vulnerability Type]
>> Incorrect Access Control
---------------------------------------------------------------
> [Additional Information]
>> This vulnerability type is also explained here:
>>[ https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/](https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/)
---------------------------------------------------------------
> [Affected Component]
>> Emby client and administration panel
---------------------------------------------------------------
> [Attack Type]
>> Remote
---------------------------------------------------------------
> [Impact Escalation of Privileges]
>> true
---------------------------------------------------------------
> [Impact Information Disclosure]
>> true
---------------------------------------------------------------
> [Attack Vectors]
>> To exploit this vulnerability an attacker needs to set the
>> X-Forwarded-For header to a local IP address, in most cases
>> 192.168.1.1 works.
---------------------------------------------------------------
> [Discoverer]
>> Christopher Simmelink
---------------------------------------------------------------
> [Reference]
>>[ http://emby.com](http://emby.com/)
>>[ https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/](https://www.sjoerdlangkemper.nl/2017/03/01/bypass-ip-block-with-x-forwarded-for-header/)
---------------------------------------------------------------
> [Vendor of Product]
>> Emby
---------------------------------------------------------------
> [Affected Product Code Base]
>> Emby Web Affected versions: < 4.5.4.0 - No fix released
>> yet, I tried contacting Emby without any luck so far.
---------------------------------------------------------------
Use CVE-2021-25827 for:
** RESERVED ** An issue was discovered in client and administration panel in Emby Web versions 4.5.4.0 and prior, allows attackers to gain escalated privileges and gain sensitive information via crafted X-Forwarded-For parameter to the HTTP request.
Changes, additions, or updates to your request should be sent via a new CVE ID Request through our webform at[ https://cveform.mitre.org/](https://cveform.mitre.org/). You may reference this service request number (1011828) if you need to refer back to this specific report.
Thank you,
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html]```