CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-33959
https://notcve.org/view.php?id=CVE-2021-33959
Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service. Plex Media Server en las versiones 1.21 y anteriores es vulnerable a un ataque DDos de reflexión a través del servicio plex. • https://github.com/lixiang957/CVE-2021-33959 https://www.freebuf.com/articles/web/260338.html • CWE-346: Origin Validation Error •
CVSS: 7.0EPSS: 0%CPEs: 2EXPL: 1CVE-2021-42835
https://notcve.org/view.php?id=CVE-2021-42835
An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged user account) can access the exposed RPC service of the update service component. This RPC functionality allows the attacker to interact with the RPC functionality and execute code from a path of his choice (local, or remote via SMB) because of a TOCTOU race condition. This code execution is in the context of the Plex update service (which runs as SYSTEM). Se ha detectado un problema en Plex Media Server versiones hasta 1.24.4.5081-e362dc1ee. • https://bugsec.com/experts_teams https://forums.plex.tv/t/security-regarding-cve-2021-42835/761510 https://ir-on.io/2021/12/02/local-privilege-plexcalation https://www.plex.tv/media-server-downloads • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5742
https://notcve.org/view.php?id=CVE-2020-5742
Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests. Un Control de Acceso Inapropiado en Plex Media Server antes del 15 de junio de 2020, permite que cualquier origen ejecute peticiones de aplicaciones de origen cruzado • https://www.tenable.com/security/research/tra-2020-35 •
CVSS: 7.2EPSS: 71%CPEs: 2EXPL: 3CVE-2020-5741 – Plex Media Server Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-5741
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. Una Deserialización de Datos No Confiables en Plex Media Server en Windows, permite a un atacante autenticado remoto ejecutar código Python arbitrario. Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. • http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.html https://www.tenable.com/security/research/tra-2020-32 https://github.com/tenable/poc/blob/master/plex/plex_media_server/auth_dict_unpickle_rce_exploit_tra_2020_32.py http://support.plex.tv/articles/201105343-advanced-hidden-server-settings https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/http/plex_unp • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2020-5740
https://notcve.org/view.php?id=CVE-2020-5740
Improper Input Validation in Plex Media Server on Windows allows a local, unauthenticated attacker to execute arbitrary Python code with SYSTEM privileges. Una Comprobación de Entrada Inapropiada en Plex Media Server en Windows, permite a un atacante local no autenticado ejecutar código Python arbitrario con privilegios SYSTEM. • https://www.tenable.com/security/research/tra-2020-25 • CWE-427: Uncontrolled Search Path Element •